Hi Dotan, You can use htmlentities(), htmlspecialchars() and strip_tags() functions when you show your saved data on your web pages. mysql_real_escape_string function saved data into mysql DB with a secure way. But when you try to show data you still have to control it. Thanks. Caner. -----Original Message----- From: Dotan Cohen [mailto:dotancohen@xxxxxxxxx] Sent: Sunday, August 16, 2009 9:43 PM To: php-general. Subject: Sanitizing mysql inserts of user data I am sanitizing user-entered data before storing in mysql with this function: function clean_mysql ($dirty) { $dirty=trim($dirty); $dirty=str_replace ("--", "", $dirty); $dirty=str_replace (";", "", $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } Is this good enough to prevent SQL injection attacks? Should I add anything else? Thanks! Dotan Cohen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
