SQL Injection


Posted on 16th Feb 2014 07:03 pm by admin

In my attempts to protect my database from mySQL injection I have created another problem for myself....

Currently all user inputted strings go through this function;

Code: function cleanQuery($string)
{
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
}
$string = mysql_real_escape_string($string);

$string = htmlentities($string);

return $string;
}
In the most, its great HOWEVER... there are three fields which I would like the user to be able to enter spaces in. An "About me" field for example, if it is run through the above function the new lines are replaced with a 'r' which i assume is "created" by the mysql_real_escape.

Question;

1) Should i run the function on every user variable?
2) Is there a safe "fix" or something alternative which i can run on the three fields which may require line breaks.

thanks.

No comments posted yet

Your Answer:

Login to answer
162 Like 9 Dislike
Previous forums Next forums
Other forums

Update Database
Hi All,


I have a problem with this:

Code: [Select]<?php
session_start();

Effort Estimation Template for Steady State Support
Hi Everyone,

Is there any SAP provided template/format for system change and enhancements

. and .. appearing instead of pictures
First of all, thanks very much for providing this forum. It is very much appreciated!

My son

how do i make new line after *
First check this page here. and you see my report. Im pulling form a mysql db. I want to beable to m

Inserting into MySQL Newbie
Hi ive got a slight problem where ive made a simple web form where the customer inserts the ammount

Php - mysql select?
hi, i have this code:

Code: <?php
session_start();
// dBase file
include &quo

Login Functionality Working Different on IE
This is an odd one, I have a site which has an admin section. The admin pages unsurprisingly require

Filename and Line Number Custom Error
I have a class, with a method that accepts 2 parameters. I would like to output error messages.

Using Microsoft Exchange Server with PHP
Hi,

I wanted to know if its possible to fetch email attachments from the exchange server usin

cURL Sending File as Post
This is a bit complicated, I'm just hoping someone else has run into this and knows how to do it a d

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



 
© indyaspeak.com. All Rights Reserved.
Play Free Quiz and Win Cash