dotkpay Posted September 21, 2011 Share Posted September 21, 2011 Hello, I have been using the preg_match() to throw out invalid form characters and then both mysql_real_escape_string() and stripslashes() to escape data variables before using them with mysql. But how about messages from a text area for example on a contact form. You cant limit the characters for the user. Is escaping variables good enough to eliminate sql injections from user input? Quote Link to comment https://forums.phpfreaks.com/topic/247587-php-sql-injections/ Share on other sites More sharing options...
AyKay47 Posted September 21, 2011 Share Posted September 21, 2011 textareas are no different than inpur fields.. normally using a combination of mysql_real_escape_string and htmlentities is a good start.. Quote Link to comment https://forums.phpfreaks.com/topic/247587-php-sql-injections/#findComment-1271393 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.