SQL Injection


Posted on 16th Feb 2014 07:03 pm by admin

In my attempts to protect my database from mySQL injection I have created another problem for myself....

Currently all user inputted strings go through this function;

Code: function cleanQuery($string)
{
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
}
$string = mysql_real_escape_string($string);

$string = htmlentities($string);

return $string;
}
In the most, its great HOWEVER... there are three fields which I would like the user to be able to enter spaces in. An "About me" field for example, if it is run through the above function the new lines are replaced with a 'r' which i assume is "created" by the mysql_real_escape.

Question;

1) Should i run the function on every user variable?
2) Is there a safe "fix" or something alternative which i can run on the three fields which may require line breaks.

thanks.

No comments posted yet

Your Answer:

Login to answer
162 Like 9 Dislike
Previous forums Next forums
Other forums

Creating a custom API
I'm creating a site, and I need to create a basic API. Unfortunately I have no idea where to start.

need help with php get
i have a option box that gets filled with dates, but how do i get once the option value has been cli

Reading Most Recent CSV File in Directory
I thought I had wrapped this project up, but found out that the program I use to FTP a csv file to m

Credit card verification
I have a client who wants to process credit card transactions from his web site rather than the goin

Using loop to count number of entries
I'm writing a program that must ask user to type in numbers. After each entry, the program has to re

Unable to customise toolbar in FCK
asp authentication problem
Hello all, I want to use the asp authentication (from asp.net configuration) in my web site. there

Web Application Recipe
Hi Guys!

I am working with the Web Application recipes. I am currently working on the sen

Comparing Values
Hi
I'm reading data from a database and this seems to work OK.

Each system has an associat

Kill a process
I have a question - how can I kill a process from a command line or by using Oracle SQL Developer? I

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



 
© indyaspeak.com. All Rights Reserved.
Play Free Quiz and Win Cash