|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Codewalkers Forums Sponsor:
|
|
|
|
#1
May 8th, 2008, 05:10 AM
|
|||
|
|||
|
SQL Security
Hey guys,
Im really worried about security on this site, and would like to see if I can get any more suggestions / tips from the many heads we have out here. This is my form check function so far: Code:
// If they entered data that should be going into an sql database, then make it more secure //
function sql_form($v){
// if magic quotes are on, turn them off to use GOOD backslashes //
if(get_magic_quotes_gpc()){ $v = stripslashes($v); }
// if they entered nothing, simply give it null //
if($v == ""){ $v = "NULL"; }
// if the value has been set and it isn't a number, then escape the quotes //
if($v != "" && !is_numeric($v)){
$v = mysql_real_escape_string($v);
}
// remove the fatal query characters //
$v = str_replace(";", "", $v);
return $v;
}
Anything else I can add/do to improve this yet again?
__________________
- Richie Last edited by wilorichie : May 8th, 2008 at 06:14 AM.
|
|
#2
May 8th, 2008, 06:23 AM
|
|||
|
|||
|
Another question:
When I check my database, it will display: my'string rather than: my\'string Whats going on there? Shouldn't the database have \' when I am using mysql_real_escape_string() ??? My function not working properly!?
|
|
#3
May 8th, 2008, 07:32 AM
|
||||
|
||||
|
For your second post, no. The escape characters are only in the query string to allow the special characters to be treated as data. The escape characters are not inserted into the database.
|
|
| Viewing: Codewalkers Forums > PHP Related > PHP Coding > SQL Security |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
 |
|
|
|
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
