Re: validating form input

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/08/2010 02:38 PM, David Mehler wrote:
> Hello,
> Got a form that takes in data to enter in to a database. I want to
> make it as secure and as invulnerable to sql injection and other
> attacks as possible. I'm wondering if mysqli_real_escape_string or
> stripslashes should be used or if the former does the latter. For
> example, I have a name variable:
> 

In general this is fine:

> $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));
> 
> or should I do:

You need to do something like this only if magic_quotes are enabled on
your PHP installation, except you would stripslashes first:

if(get_magic_quotes_gpc()) {
   $_POST['name'] = stripslashes($_POST['name']);
}
$name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));

> 
> $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));
> 
> Thanks.
> Dave.


-- 
Thanks!
-Shawn
http://www.spidean.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux