SQL Injection


Posted on 16th Feb 2014 07:03 pm by admin

In my attempts to protect my database from mySQL injection I have created another problem for myself....

Currently all user inputted strings go through this function;

Code: function cleanQuery($string)
{
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
}
$string = mysql_real_escape_string($string);

$string = htmlentities($string);

return $string;
}
In the most, its great HOWEVER... there are three fields which I would like the user to be able to enter spaces in. An "About me" field for example, if it is run through the above function the new lines are replaced with a 'r' which i assume is "created" by the mysql_real_escape.

Question;

1) Should i run the function on every user variable?
2) Is there a safe "fix" or something alternative which i can run on the three fields which may require line breaks.

thanks.

No comments posted yet

Your Answer:

Login to answer
162 Like 9 Dislike
Previous forums Next forums
Other forums

IP question
ive got 2 ip addresses both global from same user how would i detect if they are local to each other

Phase Error I can't seem to find :(`
Hey guys, I can seem to find my phase error on this. I am getting this error

[error]
Pars

how do i make a string??
hey guys,
can someone please tell me how to put data from the glob function into a string

PHP Display Telephone Number On Referrer
I have used the php below to show a different telephone number in the header of the site depending u

Problem assigning value to variable in "IF" function
Does this script makes sense? I am trying to take the value that is set to "authenticat" a

Load Animated Image while cache is serve
I have a page that loads up using cache and took about 1 to 2 minutes before it loads to the page. <

Simple Question
I know this is a simple question, that if I knew what it was technically called i could probably loo

BAPI BBP_INB_DELIVERY_CREATE - material number missing in delivery
Hi Experts,

I was able to successfully create an Inbound delivery with reference to a PO

Easy administration on MySQL databases
My website is database driven and I am very tired of manually making queries to my tables in order t

DYNPRO_FIELD_CONVERSION
Hi gurus,

I got a dump when I run one of my program. the dump is described below:

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash