Hello Thone
you can use mysql_real_escape_string() or mysql_real_escape_string()
for versions prior to 4.3.0, to aissist with quoting mysql queries,
if you use another DB, look at the manual for the relevant escape
function.
I use this function after just before i insert variables into a sql string.
function clean($var){
if(!get_magic_quotes_gpc()){
if(!function_exists("mysql_real_escape_string")){
return mysql_escape_string($var);
}
return mysql_real_escape_string($var);
}
if(!function_exists("mysql_real_escape_string")){
return mysql_escape_string( stripslashes( $var));
}
return mysql_real_escape_string( stripslashes( $var));
}
Then when details are submitted, make sure you clean any unwanted
content from those variables , also make sure input is what your
expecting,
i.e if(ctype_digit($_GET['someid'])){
$cleanid = clean($_GET['someid']);
}
$sql = "SELECT `field` FROM `table` WHERE `someid`='$cleanid'";
Also see http://phpsec.org/ its a new website that will help you on
your way to assisting with securing your php applications.
HTH
Jarrattt
On Mon, 07 Feb 2005 20:01:43 +0700, Thone <theeraputhm@xxxxxxxxxxxxxxxx> wrote:
> I'm curious about how to protect SQL query. For example, if I get some
> varaibles from user using GET or POST method. Then, I have to use it in
> a SQL query sentense. How can I make sure that users don't do trick by
> inserting some SQL command into the variable resulting in miss sql
> command? Is there any method to prevent that?
>
> Another question is that, are there any PHP build-in function to remove
> some unwanted charactor (like " and ' and \ and / ...) or I have to do
> it manually?
>
> Best Regards,
> Thone
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
