Hi Sudhakar,
Try the following:
$sql = "INSERT INTO <table_name> (`username`) VALUES ('".$username."')";
I have used the same in so many projects. I did not get any problem as you mentioned in your following email.
I am waiting for your positive reply regarding this.
Thanks in advance.
Thanks & Regards
Udayakumar Sarangapani
Sr. PHP Developer
CompIndia Infotech Pvt. Ltd.
Chennai.
"Science is nothing but logic..."
----- Original Message ----
From: Sudhakar <finals27@xxxxxxxxx>
To: php-objects@xxxxxxxxxxxxxxx
Sent: Friday, 30 May, 2008 1:31:29 AM
Subject: sql injection
i have implemented a way to avoid sql injection from the php website
from this url
http://in.php. net/mysql_ real_escape_ string from the "Example #3 A
"Best Practice" query" section of this page
following are the steps i have followed after the form values are
submitted to a php file.
step 1.
if(get_magic_ quotes_gpc( ))
{
$username = stripslashes( $_POST["username "]);
.........
}
else
{
$username = $_POST["username" ];
.........
}
step 2.
$conn = mysql_connect( $hostname, $user, $password);
step 3.
$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES
('%s', ...)", mysql_real_escape_ string($username , $conn),
...);
step 4.
if(!$conn)
{
header("Location: http://website/ dberror.html");
exit;
}
else
{
mysql_select_ db($database, $conn);
$insertqueryresult = mysql_query( $insertquery) ;
if(!$insertqueryres ult) {
header("Location: http://website/ error.html");
exit; }
}
with the above method i am able to insert values into the table even
with if i enter the ' special character which can cause problems.
i have also used a simple sql insert query like
$insertquery = "INSERT INTO table(username, ...) VALUES ('$username' ,
...)";
when i used this simple insert query and if i entered ' in the form
and submitted the form the php file is unable to process
the information entered because of the ' character and as per the code
error.html file is being displayed where as if i use
$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES
('%s', ...)", mysql_real_escape_ string($username , $conn), ...);
even if i enter any number of ' characters in more than 1 form field
data is being inserted into the table
a)
so i am thinking that the steps i have taken from the php site is
correct and the right way to avoid sql injection though there are
several ways to avoid sql injection.
b)
for example if i enter data in the form as = abc'''def for name, the
data in the table for the name field is being written as abc'''def
based on how i have written the steps to avoid sql injection is this
the right way for the data to be stored with ' characters along with
the data example as i mentioned = abc'''def
please answer the questions a) and b) if there is something else i
need to do please suggest what needs to be done exactly and at which step.
any help will be greatly appreciated.
thanks.
Chocoholics' paradise! Enter here - http://in.search.yahoo.com/search?&fr=na_onnetwork_mail_taglines&ei=UTF-8&rd=r1&p=chocolates
[Non-text portions of this message have been removed]
