YOU can write (') characters in the database.. that fine.. mysql_real_escape_string avoid injections doing that: escaping characters then when you put in a form abc'''def the query will be INSERT ..... (name.....) VALUES ( 'abc\'\'\'def'.... each ' => \' for me the steps are right saludos On Thu, May 29, 2008 at 4:10 PM, Sudhakar <sudhakararaog@xxxxxxxxx> wrote: > i have implemented a way to avoid sql injection from the php website from > this url > http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best > Practice" query" section of this page > > following are the steps i have followed after the form values are submitted > to a php file. > > step 1. > > if(get_magic_quotes_gpc()) > { > $username = stripslashes($_POST["username"]); > ......... > } > > else > { > $username = $_POST["username"]; > ......... > } > > step 2. > > $conn = mysql_connect($hostname, $user, $password); > > step 3. > > $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', > ...)", mysql_real_escape_string($username, $conn), ...); > > step 4. > > if(!$conn) > { > header("Location: http://website/dberror.html"); > exit; > } > > else > { > mysql_select_db($database, $conn); > > $insertqueryresult = mysql_query($insertquery); > > > if(!$insertqueryresult) { > header("Location: http://website/error.html"); > exit; } > > } > > with the above method i am able to insert values into the table even with if > i enter the ' special character which can cause problems. > > i have also used a simple sql insert query like > > $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)"; > > when i used this simple insert query and if i entered ' in the form and > submitted the form the php file is unable to process the information entered > because of the ' character and as per the code error.html file is being > displayed where as if i use > > $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', > ...)", mysql_real_escape_string($username, $conn), ...); > > even if i enter any number of ' characters in more than 1 form field data is > being inserted into the table > > a) > so i am thinking that the steps i have taken from the php site is correct > and the right way to avoid sql injection though there are several ways to > avoid sql injection. > > b) > for example if i enter data in the form as = abc'''def for name, the data in > the table for the name field is being written as abc'''def > > based on how i have written the steps to avoid sql injection is this the > right way for the data to be stored with ' characters along with the data > example as i mentioned = abc'''def > > please answer the questions a) and b) if there is something else i need to > do please suggest what needs to be done exactly and at which step. > > any help will be greatly appreciated. > > thanks. > -- Los sabios buscan la sabiduría; los necios creen haberla encontrado. Gabriel Sosa -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php