ask9 Posted September 12, 2009 Share Posted September 12, 2009 hello i have this insert below. $query = "INSERT INTO member ('firstname', 'lastname', 'username') VALUES ('$this->fname', '$this->lname', '$this->username')"; mysql_query($query) or die("Problem with the query: $query on line " . __LINE__ . '<br>' . mysql_error()); How do you clean the values? I heard mysql_real_escape_string is used to prevent mysql injection. Is this also the same function used to clean the user entered data into mysql database? Is there other way? Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/173979-how-do-you-clean-mysql-data/ Share on other sites More sharing options...
RussellReal Posted September 12, 2009 Share Posted September 12, 2009 I'm assuming by clean you mean to make sure it doesn't mess up the syntax of your mysql query.. but, that is the whole purpose of mysql injection, to remodel the structure of your query to do things you wouldn't want a user to have access to... like.. select more rows than expected.. drop a table.. etc so in the case above.. you'd use mysql_real_escape_string on strings, on integers you really don't need to.. just type cast the variable.. hope it helps. Link to comment https://forums.phpfreaks.com/topic/173979-how-do-you-clean-mysql-data/#findComment-917091 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.