dotkpay Posted September 21, 2011 Share Posted September 21, 2011 Hello, I have been using the preg_match() to throw out invalid form characters and then both mysql_real_escape_string() and stripslashes() to escape data variables before using them with mysql. But how about messages from a text area for example on a contact form. You cant limit the characters for the user. Is escaping variables good enough to eliminate sql injections from user input? Link to comment https://forums.phpfreaks.com/topic/247587-php-sql-injections/ Share on other sites More sharing options...
AyKay47 Posted September 21, 2011 Share Posted September 21, 2011 textareas are no different than inpur fields.. normally using a combination of mysql_real_escape_string and htmlentities is a good start.. Link to comment https://forums.phpfreaks.com/topic/247587-php-sql-injections/#findComment-1271393 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.