SQL Injection


Posted on 16th Feb 2014 07:03 pm by admin

In my attempts to protect my database from mySQL injection I have created another problem for myself....

Currently all user inputted strings go through this function;

Code: function cleanQuery($string)
{
if(get_magic_quotes_gpc())
{
$string = stripslashes($string);
}
$string = mysql_real_escape_string($string);

$string = htmlentities($string);

return $string;
}
In the most, its great HOWEVER... there are three fields which I would like the user to be able to enter spaces in. An "About me" field for example, if it is run through the above function the new lines are replaced with a 'r' which i assume is "created" by the mysql_real_escape.

Question;

1) Should i run the function on every user variable?
2) Is there a safe "fix" or something alternative which i can run on the three fields which may require line breaks.

thanks.

No comments posted yet

Your Answer:

Login to answer
162 Like 9 Dislike
Previous forums Next forums
Other forums

Multipe Dynamic Controls & AutoPostback Issue
I currently have a need to create many dynamic controls (Example Textboxes) that need to do a PostBa

User registration and login
I don't know whether this is the correct forum, if not i apologise but am pretty desperate at the mo

Find current logon time
Hi,
in my sql script i want to query and find out the logon time of the current session.
<

Recode Abap Dynpro into Web Dynpro
Hi All,
A client has asked us to look at rearchitecting a custom transaction that was developed

Help with Password Encoding/Decoding?
Trying to design a "change password" tool. On my signup code I'm using base64_encode, now

Redirect not working after making a POST/GET
Hi Everyone,

I am a novice in PHP. Here I have 2 pages, one page with a textbox and button an

Sum of Values in an Array
This is probably really simple... but it's been years since I've written anything, so bare with me!<

Batch Session SM35 stuck in status 'in Background
Hi Experts,

I am facing a problem with Batch Input session SM35.

The batch se

FAGL_FC_TRANSLATION FAS52 New GL ECC 6.0
Hello,

The new program for Translating GL Balances (FAS 52) gives the option to use diffe

mysql select query problem
how can i select multiple fields from multiple table in one query like

i have table name t1 a

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



 
© indyaspeak.com. All Rights Reserved.
Play Free Quiz and Win Cash