SQL Injection


Posted on 16th Feb 2014 07:03 pm by admin

In my attempts to protect my database from mySQL injection I have created another problem for myself....

Currently all user inputted strings go through this function;

Code: function cleanQuery($string)
{
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
}
$string = mysql_real_escape_string($string);

$string = htmlentities($string);

return $string;
}
In the most, its great HOWEVER... there are three fields which I would like the user to be able to enter spaces in. An "About me" field for example, if it is run through the above function the new lines are replaced with a 'r' which i assume is "created" by the mysql_real_escape.

Question;

1) Should i run the function on every user variable?
2) Is there a safe "fix" or something alternative which i can run on the three fields which may require line breaks.

thanks.

No comments posted yet

Your Answer:

Login to answer
162 Like 9 Dislike
Previous forums Next forums
Other forums

phph within href not showing php if change ? to &
Code: [Select]<a href="<?php echo $puser; ?>?m=<?php=(($m-1)&l

please help me... my password gets encrypted but not able to get in database
hai guys,
please help me... in the following function my password gets encrypted but no

Creating a function
Basically i wanna put all this code in a seperate file

Code: <?php

how can we add data from dynamic fields to mysql db in php
i have a script which i found on the internet. i modify that script according to my needs. what is i

Hi, explode and strstr.
Hi, I seem to be confused about the strstr function, eg. i have a string like:
"a.b.c.d.e.f&

Limiting uploaded file type
Hi. First post here
I am working on a simple upload script, and I need it to limit the allowed f

script and html conflict in trying to create a header.
I have an error is occurring because of an html webpage with a "php require" at the top of

WS-Security PL/SQL Forms
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Prod
PL/SQL Release 10.2.0.2.0 - P

Database connection failure
Hello All,

I am trying to create new connection to Oracle DB 10.1,
I could not see a

sql problems
I am having a small problem with my sql statement. it is inserting into 4 of the fields.

fie

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



 
© indyaspeak.com. All Rights Reserved.
Play Free Quiz and Win Cash