herghost Posted September 24, 2009 Share Posted September 24, 2009 Hi all, How do you use strip slashes to allow a field with ' or / for example, I currently have the below, but if a hypen etc appears then the query fails. Many Thanks <?php include('../include/dbconnect.php'); include('../include/auth.inc.php'); $redirect = ('../index.php'); $query = 'SELECT user_id, username FROM users_credits WHERE username = "' . mysql_real_escape_string($_SESSION['username'], $conn) . '"'; $result = mysql_query($query, $conn) or die(mysql_error($conn)); $row = mysql_fetch_array($result); extract($row); mysql_free_result($result); // get data that sent from form $cat=$_POST['cat']; $os=stripslashes($_POST['os']); $ram=stripslashes($_POST['ram']); $graphics=stripslashes($_POST['graphics']); $harddrive=stripslashes($_POST['harddrive']); $detail=stripslashes($_POST['detail']); $title=stripslashes($_POST['title']); $datetime=date("d/m/y h:i:s"); //create date time $query="INSERT INTO forum_question (id, user_id, cat, os, ram, graphics, harddrive, title, detail, username, datetime) VALUES('', '$user_id', '$cat', '$os', '$ram', '$graphics', '$harddrive', '$title', '$detail', '$username', '$datetime')"; mysql_query($query) or die('Error, insert query failed'); $post_no = mysql_insert_id(); ?> Link to comment https://forums.phpfreaks.com/topic/175348-stripslashes-help/ Share on other sites More sharing options...
Adam Posted September 24, 2009 Share Posted September 24, 2009 You're using it wrong. These days you don't need to use addslashes / stripslashes for escaping your inputs for use within MySQL queries. mysql_real_escape_string does a much better job. Link to comment https://forums.phpfreaks.com/topic/175348-stripslashes-help/#findComment-924081 Share on other sites More sharing options...
herghost Posted September 24, 2009 Author Share Posted September 24, 2009 Thanks Mr Adam, I have added this to my database connect file, should do the trick! //This stops SQL Injection in POST vars foreach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } //This stops SQL Injection in GET vars foreach ($_GET as $key => $value) { $_GET[$key] = mysql_real_escape_string($value); } Link to comment https://forums.phpfreaks.com/topic/175348-stripslashes-help/#findComment-924140 Share on other sites More sharing options...
Adam Posted September 24, 2009 Share Posted September 24, 2009 Unfortunately that doesn't completely secure you against SQL injections. Also consider that mysql_real_escape_string() returns a string, and you may sometimes wish to compare numeric data. Input validation should be performed on a per-input basis. Link to comment https://forums.phpfreaks.com/topic/175348-stripslashes-help/#findComment-924153 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.