ataria Posted November 24, 2006 Share Posted November 24, 2006 This is what I have so far.[code]<?php// database connection.function protect($input){$input = mysql_real_escape_string($input);$input = eregi_replace("%","",$input);$input = eregi_replace("--","",$input);$input =htmlspecialchars(mysql_real_escape_string($input));return $input;}$_COOKIE = array_map("protect",$_COOKIE);array_map('mysql_real_escape_string', $_POST);array_map('mysql_real_escape_string', $_GET);?>[/code]Is there anything I need to add? or, is it good enough? Quote Link to comment Share on other sites More sharing options...
btherl Posted November 24, 2006 Share Posted November 24, 2006 mysql_real_escape_string() already does the necessary escaping. As long as you use that string inside single quotes, you will be fine.There's no need for the other lines.You might need to urldecode() your input first as well, depending on what type of input it is.[code=php:0]$escaped_input = mysql_real_escape_string(urldecode($_POST['input']));$sql = "INSERT INTO table VALUES ('$escaped_input')";[/code] Quote Link to comment Share on other sites More sharing options...
ataria Posted November 24, 2006 Author Share Posted November 24, 2006 where would i put that? Quote Link to comment Share on other sites More sharing options...
marcus Posted November 24, 2006 Share Posted November 24, 2006 Below [code]function protect($input){[/code] Quote Link to comment Share on other sites More sharing options...
ataria Posted November 24, 2006 Author Share Posted November 24, 2006 Added. Thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.