Canman2005 Posted October 10, 2008 Share Posted October 10, 2008 Hi all I am currently building a system for one guy to use, it contains quite a few INSERT statements, but I have not delt with the possibility of commas being used. What would be the best way to deal with commas being using in INSERT statements? Thanks Link to comment https://forums.phpfreaks.com/topic/127797-solved-commas-in-insert-statement/ Share on other sites More sharing options...
DarkWater Posted October 10, 2008 Share Posted October 10, 2008 It should be fine because the string would be in ' ', and you should be using mysql_real_escape_string() anyway. Link to comment https://forums.phpfreaks.com/topic/127797-solved-commas-in-insert-statement/#findComment-661544 Share on other sites More sharing options...
Canman2005 Posted October 10, 2008 Author Share Posted October 10, 2008 thanks would mysql_real_escape_string() solve any possible INJECTION attacks? If so, is there a way to set it universally on the system? Link to comment https://forums.phpfreaks.com/topic/127797-solved-commas-in-insert-statement/#findComment-661546 Share on other sites More sharing options...
DarkWater Posted October 10, 2008 Share Posted October 10, 2008 You can't "universally set it", so you have to manually use it on every piece of data being used in a query. Link to comment https://forums.phpfreaks.com/topic/127797-solved-commas-in-insert-statement/#findComment-661548 Share on other sites More sharing options...
Canman2005 Posted October 10, 2008 Author Share Posted October 10, 2008 okay, so would it be something like $username = mysql_real_escape_string($_POST['username']); ? If so, is there any issues doing $_POST['username'] = mysql_real_escape_string($_POST['username']); to save editing all the insert statements? Link to comment https://forums.phpfreaks.com/topic/127797-solved-commas-in-insert-statement/#findComment-661551 Share on other sites More sharing options...
redarrow Posted October 10, 2008 Share Posted October 10, 2008 very secure way mate........... <?php //array_pop($_POST); //only use if it an array....... // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not integer if (!is_numeric($value) || $value[0] == '0') { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } ?> Link to comment https://forums.phpfreaks.com/topic/127797-solved-commas-in-insert-statement/#findComment-661558 Share on other sites More sharing options...
redarrow Posted October 10, 2008 Share Posted October 10, 2008 $_POST['username'] = mysql_real_escape_string($_POST['username']); <<< unindexed $username=mysql_real_escape_string($_POST['username']); <<<< correct way........ Link to comment https://forums.phpfreaks.com/topic/127797-solved-commas-in-insert-statement/#findComment-661559 Share on other sites More sharing options...
Canman2005 Posted October 10, 2008 Author Share Posted October 10, 2008 if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not integer if (!is_numeric($value) || $value[0] == '0') { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } didnt seem to work, ill do it with the mysql_real_escape_string funtion Thanks Link to comment https://forums.phpfreaks.com/topic/127797-solved-commas-in-insert-statement/#findComment-661573 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.