SQL Injection


Posted on 16th Feb 2014 07:03 pm by admin

In my attempts to protect my database from mySQL injection I have created another problem for myself....

Currently all user inputted strings go through this function;

Code: function cleanQuery($string)
{
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
}
$string = mysql_real_escape_string($string);

$string = htmlentities($string);

return $string;
}
In the most, its great HOWEVER... there are three fields which I would like the user to be able to enter spaces in. An "About me" field for example, if it is run through the above function the new lines are replaced with a 'r' which i assume is "created" by the mysql_real_escape.

Question;

1) Should i run the function on every user variable?
2) Is there a safe "fix" or something alternative which i can run on the three fields which may require line breaks.

thanks.

No comments posted yet

Your Answer:

Login to answer
162 Like 9 Dislike
Previous forums Next forums
Other forums

How could I combine these arrays??
Hello.. I'm trying to figure out a way to combine these first two arrays to get the last array..

Logic question
im wondering what's the best method to do the above list:

it is for alliance @ MMORPG game

OPINIONS WANTED
This is my login page code, and I want your opinion on it please!

Code: // Login ~ CHECKS

Only add new information from XML to MySQL
What I am doing, is taking a xml file, and adding the values to a database. However, what I want to

need help modifying script
Hi guys,

I'm fairly new to php and am having a bit of trouble modifying a script.

This

Website Direction...
I recently used this code to try and make it so the page loads as http://www.domain.com/ when you ty

upload photo limits
ive got a upload photo script and im just trying to make more secure currently it limits size and as

first few characters only
hi, does anyone know how to use PHP to take the first few words of a text and limit them? i have see

filesize() returns 0
I have a socket program that runs in an infinite loop, listening for connections, in this socket I h

str_replace help
I am thinking str_replace is my only option to filter outputs from my database to convert them to sa

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



 
© indyaspeak.com. All Rights Reserved.
Play Free Quiz and Win Cash