i have implemented a way to avoid sql injection from the php website from this url http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page following are the steps i have followed after the form values are submitted to a php file. step 1. if(get_magic_quotes_gpc()) { $username = stripslashes($_POST["username"]); ......... } else { $username = $_POST["username"]; ......... } step 2. $conn = mysql_connect($hostname, $user, $password); step 3. $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), ...); step 4. if(!$conn) { header("Location: http://website/dberror.html";); exit; } else { mysql_select_db($database, $conn); $insertqueryresult = mysql_query($insertquery); if(!$insertqueryresult) { header("Location: http://website/error.html";); exit; } } with the above method i am able to insert values into the table even with if i enter the ' special character which can cause problems. i have also used a simple sql insert query like $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)"; when i used this simple insert query and if i entered ' in the form and submitted the form the php file is unable to process the information entered because of the ' character and as per the code error.html file is being displayed where as if i use $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), ...); even if i enter any number of ' characters in more than 1 form field data is being inserted into the table a) so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though there are several ways to avoid sql injection. b) for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as abc'''def based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with ' characters along with the data example as i mentioned = abc'''def please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly and at which step. any help will be greatly appreciated. thanks.
