Minimeallolla Posted November 7, 2010 Share Posted November 7, 2010 <?php include ("database.php"); // show comments $result = mysql_query("SELECT * FROM gamecomments"); while($row = mysql_fetch_array($result)) { echo $row['username'] . ": <Br> " . $row['comment']; echo "<p>"; } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } Quote Link to comment https://forums.phpfreaks.com/topic/217986-comment-protection-against-sql-injection-help-need-to-be-secure/ Share on other sites More sharing options...
Minimeallolla Posted November 7, 2010 Author Share Posted November 7, 2010 Would this work or something like this? need help still \= <?php include ("database.php"); // show comments $result = mysql_query("SELECT * FROM gamecomments"); while($row = mysql_fetch_array($result)) { echo addslashes($row['username']) . ": <Br> " . addslashes($row['comment']); echo "<p>"; } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { $username = real_escape_string($username); $_POST['comment'] = real_escape_String($comment); // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } [code] Quote Link to comment https://forums.phpfreaks.com/topic/217986-comment-protection-against-sql-injection-help-need-to-be-secure/#findComment-1131304 Share on other sites More sharing options...
KevinM1 Posted November 7, 2010 Share Posted November 7, 2010 Don't use addslashes. And what is real_escape_string supposed to be? Use mysql_real_escape_string on string data you want to insert into the db, or better yet, use MySQLi and parameterized statements. Quote Link to comment https://forums.phpfreaks.com/topic/217986-comment-protection-against-sql-injection-help-need-to-be-secure/#findComment-1131305 Share on other sites More sharing options...
Minimeallolla Posted November 7, 2010 Author Share Posted November 7, 2010 sorry, im really tired \= so just that like? will prevent sql injection? and protect everything? <?php include ("database.php"); // show comments $result = mysql_query("SELECT * FROM gamecomments"); while($row = mysql_fetch_array($result)) { echo ($row['username']) . ": <Br> " . ($row['comment']); echo "<p>"; } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { $username = mysql_real_escape_string($username); $_POST['comment'] = mysql_real_escape_string($comment); // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } Quote Link to comment https://forums.phpfreaks.com/topic/217986-comment-protection-against-sql-injection-help-need-to-be-secure/#findComment-1131311 Share on other sites More sharing options...
KevinM1 Posted November 7, 2010 Share Posted November 7, 2010 Where does $username come from? Echoing row data isn't the same as constructing a variable. Also, your assignment statement dealing with the comments is backwards. The escape function will protect you from injection, but you should validate all incoming data. When you display your comments, you'll need to combat against unwanted HTML and XSS attacks. Quote Link to comment https://forums.phpfreaks.com/topic/217986-comment-protection-against-sql-injection-help-need-to-be-secure/#findComment-1131314 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.