On Jul 8, 2010, at 12:38 PM, David Mehler <dave.mehler@xxxxxxxxx> wrote: > Hello, > Got a form that takes in data to enter in to a database. I want to > make it as secure and as invulnerable to sql injection and other > attacks as possible. I'm wondering if mysqli_real_escape_string or > stripslashes should be used or if the former does the latter. For > example, I have a name variable: > > $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name'])); This would work. Escaping the string should be all you need. As long as you use single quotes for wrapping the column values. Double quotes not sure but shouldn't be using those anyway. > > or should I do: > > $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name']))); No... You'd be adding slashes and then removing them here :p > > Thanks. > Dave. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
