MDanz Posted August 21, 2009 Share Posted August 21, 2009 mysql_select_db ($database); // Make sure the user actually // selected and uploaded a file $hyperlink = $_POST['hyperlink']; $currency = $_POST['currency']; $name = $_POST['name']; $image = $_POST['image']; $info = $_POST['info']; $keywords = $_POST['keywords']; $type = $_POST['type']; // Create the query and insert // into our database. $query = "INSERT INTO Stacks"; $query .= "(`image`, `hyperlink`,`currency`,`name`,`info`,`keywords`,`type`) VALUES ('$image','$hyperlink','$currency','$name','$info','$keywords','$type')"; $results = mysql_query($query, $link); if($query){ print "<br><font color=white>Your image details have been uploaded to the database. <a href='member.php'>Return to Upload Page</a></font>"; } else { print "No image selected/uploaded"; } // Close our MySQL Link mysql_close($link); how/where do i add mysql_real_escape_string to this to prevent html attack? Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/ Share on other sites More sharing options...
trq Posted August 21, 2009 Share Posted August 21, 2009 mysql_reral_escape_string does not prevent xss attacks if that's what your getting at, it simply escapes your data for safe insertion into a database. All data going into your queries should first go through mysql_reral_escape_string, for example.... $name = mysql_real_escape_string($_POST['name']); Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/#findComment-903269 Share on other sites More sharing options...
Garethp Posted August 21, 2009 Share Posted August 21, 2009 What do you use to prevent XSS attacks? Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/#findComment-903274 Share on other sites More sharing options...
MDanz Posted August 21, 2009 Author Share Posted August 21, 2009 i have no idea what xss are? how do i go about preventing them? are they easy to implement into my code? Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/#findComment-903275 Share on other sites More sharing options...
trq Posted August 21, 2009 Share Posted August 21, 2009 There isn't really any one stop solution for such a thing. You basically need to validate that user inputted data is what you expect it to be. Having said that, there are some great tools around to help in the prcess. htmlpurifier is one such tool. Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/#findComment-903279 Share on other sites More sharing options...
Garethp Posted August 21, 2009 Share Posted August 21, 2009 What other security steps should one take when coding in PHP? Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/#findComment-903280 Share on other sites More sharing options...
trq Posted August 21, 2009 Share Posted August 21, 2009 You'll need to google I'm afraid or maybe search the board. There are entire books on the subject. Its not really something thats going to be covered extensively in a single forum post. Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/#findComment-903282 Share on other sites More sharing options...
Garethp Posted August 21, 2009 Share Posted August 21, 2009 Thanks. Up till now I believed that mysql_escape_string was sufficient for a general purpose security feature. I'll make sure to read up on the topic some more Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/#findComment-903283 Share on other sites More sharing options...
Daniel0 Posted August 21, 2009 Share Posted August 21, 2009 What other security steps should one take when coding in PHP? http://www.phpfreaks.com/tutorial/php-security Link to comment https://forums.phpfreaks.com/topic/171283-how-to-add-mysql_real_escape_string/#findComment-903288 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.