Jump to content

Recommended Posts

hello i have this insert below.

 

$query = "INSERT INTO member ('firstname', 'lastname', 'username') 
VALUES ('$this->fname', '$this->lname', '$this->username')"; 
mysql_query($query) or die("Problem with the query: $query on line " . __LINE__ . '<br>' . mysql_error());

 

How do you clean the values?

 

I heard mysql_real_escape_string is used to prevent mysql injection.

 

Is this also the same function used to clean the user entered data into mysql database?

 

Is there other way?

 

Thanks in advance.

 

 

Link to comment
https://forums.phpfreaks.com/topic/173979-how-do-you-clean-mysql-data/
Share on other sites

I'm assuming by clean you mean to make sure it doesn't mess up the syntax of your mysql query.. but, that is the whole purpose of mysql injection, to remodel the structure of your query to do things you wouldn't want a user to have access to... like.. select more rows than expected.. drop a table.. etc

 

so in the case above.. you'd use mysql_real_escape_string on strings, on integers you really don't need to.. just type cast the variable.. hope it helps.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.