Jump to content


Making a TEXT FIELD secure!, how?

  • Please log in to reply
3 replies to this topic

#1 bilis_money

  • Members
  • PipPipPip
  • Advanced Member
  • 621 posts

Posted 12 August 2006 - 11:59 PM

Ok, i'm  trying to make a search box for my website.
and everything is working fine.

now at the moment of testing and looking for holes i notice that
when i type these ~, !, @, #, $, %, ^, &, *< (), (, ., *.* and etc.
it produces error messages or will display all the records and etc.

now i know that this is not intended to do this way but i think this is one of the holes that a cracker can exploit.

I'm was thinking if this can be solve by using stripslashes() or related with this? I'm hoping that you can give me advice on this, on how to remove this problem.

Thank you very much in advance.

#2 Jocka

  • Members
  • PipPipPip
  • Advanced Member
  • 344 posts
  • LocationDallas, Texas

Posted 13 August 2006 - 12:02 AM



#3 bilis_money

  • Members
  • PipPipPip
  • Advanced Member
  • 621 posts

Posted 13 August 2006 - 12:04 AM

so which is the most effective?

#4 corbin

  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 13 August 2006 - 01:44 AM

string mysql_escape_string ( string unescaped_string )

This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated.

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

It pretty much is sayin that _real_escape is the newer version...
Why doesn't anyone ever say hi, hey, or whad up world?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users