[SOLVED] Inserting $POST data in MySQL

[DataRater]

This is the situation

 

magic_quotes_gpc = Off

 

I am inserting into a MySQL table (Ive simplified the code below e.g. I have put the $POST data into a simple variable)

 

$sql="INSERT INTO yachts SET

      id='".$id."',

      name='".$name."',

      manufacturer='".$manufacturer."',

      ..."

Now I should wrap add_slashes() around each of these like this to make the insert nice and tidy for MySQL so that would be

 

$sql="INSERT INTO yachts SET

      id='".add_slashes($id)."',

      name='".add_slashes($name)."',

      manufacturer='".add_slashes($this->manufacturer)."',

      ..."

 

but add_slashes() doesn't, apparently, do the whole job due to it not escaping certain (I don't know what they are) characters which might be injected by unscrupulous types.

 

So what do I need to do make this very tidy?

 

[awpti]

mysql_real_escape_string.

 

Even that isn't perfect.

[JasonLewis]

First, it's $_POST not $POST.

Second... Use mysql_real_escape_string().

[DataRater]

Thanks. I just got there too? If mysql_real_escape_string isn't perfect, what else have we to do?

[awpti]

Write your own validation routines. mysql_real gets ~90% of the crap.

[JasonLewis]

I just googled SQL Injection. Didn't open any of the pages but here are some links that *sound* helpful.

 

http://www.hiveminds.co.uk/node/3071

http://www.homeandlearn.co.uk/php/php13p5.html

http://forums.digitalpoint.com/showthread.php?t=445907