Jump to content

Sql Injection Protection


radalin

Recommended Posts

Hi,
I'm using php5 and apache 2 and postgresql 8.1 as database and pear's mdb2 package. I'm using escape method of mdb2. But the intresting thing is that silencer "\" character exists more than required. I mean if I write " your's " it becomes " your\\''s " and it's entered to the db as " your\'s ". If I do not use escape method and everything is fine! Yes really fine! I get the data from a form via POST method. When I try to echo the data coming from POST it's as " your\'s ". The single quote is already disabled.

Well I'm curious why is this happening!! I do not think it's really possible so I'm probably missing something at somewhere. I cannot post my code sadly because it's not ordered and it requires manu functions. But the thing is even if I echo the data coming from the Post the single quote is already disabled! I'm very curious why this happens. Maybe this is because of something I dont kno yet.

Thank you for your time.
Link to comment
https://forums.phpfreaks.com/topic/16794-sql-injection-protection/
Share on other sites

That's probbly because you've got magic_quotes on in your php.ini.

Run this:
echo get_magic_quotes_gpc();
If it returns TRUE or 1, that means strings get automaticly escaped.

If you want to escape strings for you database, use this function:
[code]<?php
function sql_quote($value)
{
if(get_magic_quotes_gpc())
{$value = stripslashes($value);}
if(function_exists("mysql_real_escape_string"))
{$value = mysql_real_escape_string($value);}
else
{$value = addslashes($value);}
return $value;
}
?>[/code]

Orio.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.