YOU can write (') characters in the database.. that fine..
mysql_real_escape_string avoid injections doing that: escaping characters
then when you put in a form
abc'''def
the query will be
INSERT ..... (name.....) VALUES ( 'abc\'\'\'def'....
each ' => \'
for me the steps are right
saludos
On Thu, May 29, 2008 at 4:10 PM, Sudhakar <sudhakararaog@xxxxxxxxx> wrote:
> i have implemented a way to avoid sql injection from the php website from
> this url
> http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best
> Practice" query" section of this page
>
> following are the steps i have followed after the form values are submitted
> to a php file.
>
> step 1.
>
> if(get_magic_quotes_gpc())
> {
> $username = stripslashes($_POST["username"]);
> .........
> }
>
> else
> {
> $username = $_POST["username"];
> .........
> }
>
> step 2.
>
> $conn = mysql_connect($hostname, $user, $password);
>
> step 3.
>
> $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s',
> ...)", mysql_real_escape_string($username, $conn), ...);
>
> step 4.
>
> if(!$conn)
> {
> header("Location: http://website/dberror.html";);
> exit;
> }
>
> else
> {
> mysql_select_db($database, $conn);
>
> $insertqueryresult = mysql_query($insertquery);
>
>
> if(!$insertqueryresult) {
> header("Location: http://website/error.html";);
> exit; }
>
> }
>
> with the above method i am able to insert values into the table even with if
> i enter the ' special character which can cause problems.
>
> i have also used a simple sql insert query like
>
> $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";
>
> when i used this simple insert query and if i entered ' in the form and
> submitted the form the php file is unable to process the information entered
> because of the ' character and as per the code error.html file is being
> displayed where as if i use
>
> $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s',
> ...)", mysql_real_escape_string($username, $conn), ...);
>
> even if i enter any number of ' characters in more than 1 form field data is
> being inserted into the table
>
> a)
> so i am thinking that the steps i have taken from the php site is correct
> and the right way to avoid sql injection though there are several ways to
> avoid sql injection.
>
> b)
> for example if i enter data in the form as = abc'''def for name, the data in
> the table for the name field is being written as abc'''def
>
> based on how i have written the steps to avoid sql injection is this the
> right way for the data to be stored with ' characters along with the data
> example as i mentioned = abc'''def
>
> please answer the questions a) and b) if there is something else i need to
> do please suggest what needs to be done exactly and at which step.
>
> any help will be greatly appreciated.
>
> thanks.
>
--
Los sabios buscan la sabiduría; los necios creen haberla encontrado.
Gabriel Sosa
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
