devWhiz Posted December 28, 2011 Share Posted December 28, 2011 Would this be effective in protecting against SQL injection? function runQuery($sqlQuery){ $sqlQuery = str_replace(array('@@','))'),'\"',$sqlQuery); $sqlQuery = str_replace(array('++','--'),"\'",$sqlQuery); $sqlQuery = str_replace(array('**','&&'),' ',$sqlQuery); $runQuery = mysql_query($sqlQuery) or die(mysql_error()); return $runQuery; } Link to comment https://forums.phpfreaks.com/topic/253977-protecting-against-sql-injection/ Share on other sites More sharing options...
Pikachu2000 Posted December 28, 2011 Share Posted December 28, 2011 Is there something wrong with mysql_real_escape_string() for string values, and validating/casting numeric values as the correct data type? Link to comment https://forums.phpfreaks.com/topic/253977-protecting-against-sql-injection/#findComment-1301982 Share on other sites More sharing options...
devWhiz Posted December 28, 2011 Author Share Posted December 28, 2011 I would put the query as the param for mysql_real_escape_string? $query = "SELECT * FROM users"; $escape = mysql_real_escape_string($query); $run = mysql_query($escape); that query is just an example Link to comment https://forums.phpfreaks.com/topic/253977-protecting-against-sql-injection/#findComment-1301994 Share on other sites More sharing options...
Pikachu2000 Posted December 28, 2011 Share Posted December 28, 2011 No, you would call it on all values that are of the string data type, that will be used in a DB query string. // connect to database first $string_value = mysql_real_escape_string($string_value); $query = "SELECT field FROM table WHERE some_field = '$string_value'"; Link to comment https://forums.phpfreaks.com/topic/253977-protecting-against-sql-injection/#findComment-1301996 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.