On 07/08/2010 02:38 PM, David Mehler wrote:
> Hello,
> Got a form that takes in data to enter in to a database. I want to
> make it as secure and as invulnerable to sql injection and other
> attacks as possible. I'm wondering if mysqli_real_escape_string or
> stripslashes should be used or if the former does the latter. For
> example, I have a name variable:
>
In general this is fine:
> $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));
>
> or should I do:
You need to do something like this only if magic_quotes are enabled on
your PHP installation, except you would stripslashes first:
if(get_magic_quotes_gpc()) {
$_POST['name'] = stripslashes($_POST['name']);
}
$name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));
>
> $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));
>
> Thanks.
> Dave.
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
