ask9 Posted September 12, 2009 Share Posted September 12, 2009 hello i have this insert below. $query = "INSERT INTO member ('firstname', 'lastname', 'username') VALUES ('$this->fname', '$this->lname', '$this->username')"; mysql_query($query) or die("Problem with the query: $query on line " . __LINE__ . '<br>' . mysql_error()); How do you clean the values? I heard mysql_real_escape_string is used to prevent mysql injection. Is this also the same function used to clean the user entered data into mysql database? Is there other way? Thanks in advance. Quote Link to comment Share on other sites More sharing options...
RussellReal Posted September 12, 2009 Share Posted September 12, 2009 I'm assuming by clean you mean to make sure it doesn't mess up the syntax of your mysql query.. but, that is the whole purpose of mysql injection, to remodel the structure of your query to do things you wouldn't want a user to have access to... like.. select more rows than expected.. drop a table.. etc so in the case above.. you'd use mysql_real_escape_string on strings, on integers you really don't need to.. just type cast the variable.. hope it helps. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.