crmamx Posted February 21, 2011 Share Posted February 21, 2011 Will this prevent a SQL injection? I am guessing the answer is no because it is too simple. // retrieve form data ========================================== $ama = $_POST['ama']; // Check for alphanumeric characters ===================================== $string = "$ama"; $new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string); // echo $new_string; // Send query =========================================================== $query = "SELECT * FROM members WHERE ama='$new_string'"; if (!mysql_query($query)){ die('Error :' .mysql_error()); } Quote Link to comment Share on other sites More sharing options...
silkfire Posted February 21, 2011 Share Posted February 21, 2011 Yes it will but your code can be shortened even further: $ama = preg_replace('#[^a-zA-Z0-9\s]#', '', $_POST['ama']); // echo $ama; if (!mysql_query("SELECT * FROM members WHERE ama = '$ama'")) die('Error :' . mysql_error() . '.'); else die('Query was successful.'); Quote Link to comment Share on other sites More sharing options...
crmamx Posted February 21, 2011 Author Share Posted February 21, 2011 I knew there was a better way but I will never get that good with coding. Many thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.