devWhiz Posted December 28, 2011 Share Posted December 28, 2011 Would this be effective in protecting against SQL injection? function runQuery($sqlQuery){ $sqlQuery = str_replace(array('@@','))'),'\"',$sqlQuery); $sqlQuery = str_replace(array('++','--'),"\'",$sqlQuery); $sqlQuery = str_replace(array('**','&&'),' ',$sqlQuery); $runQuery = mysql_query($sqlQuery) or die(mysql_error()); return $runQuery; } Quote Link to comment https://forums.phpfreaks.com/topic/253977-protecting-against-sql-injection/ Share on other sites More sharing options...
Pikachu2000 Posted December 28, 2011 Share Posted December 28, 2011 Is there something wrong with mysql_real_escape_string() for string values, and validating/casting numeric values as the correct data type? Quote Link to comment https://forums.phpfreaks.com/topic/253977-protecting-against-sql-injection/#findComment-1301982 Share on other sites More sharing options...
devWhiz Posted December 28, 2011 Author Share Posted December 28, 2011 I would put the query as the param for mysql_real_escape_string? $query = "SELECT * FROM users"; $escape = mysql_real_escape_string($query); $run = mysql_query($escape); that query is just an example Quote Link to comment https://forums.phpfreaks.com/topic/253977-protecting-against-sql-injection/#findComment-1301994 Share on other sites More sharing options...
Pikachu2000 Posted December 28, 2011 Share Posted December 28, 2011 No, you would call it on all values that are of the string data type, that will be used in a DB query string. // connect to database first $string_value = mysql_real_escape_string($string_value); $query = "SELECT field FROM table WHERE some_field = '$string_value'"; Quote Link to comment https://forums.phpfreaks.com/topic/253977-protecting-against-sql-injection/#findComment-1301996 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.