tracy Posted December 5, 2006 Share Posted December 5, 2006 Is there a simple line or two of code that I can place in my php pages (working with mysql also) to prevent injection attack? Thanks. Link to comment https://forums.phpfreaks.com/topic/29590-attack-prevention/ Share on other sites More sharing options...
genericnumber1 Posted December 6, 2006 Share Posted December 6, 2006 [code=php:0]function quote_smart($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value;}[/code]taken from http://www.php.net/mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/29590-attack-prevention/#findComment-135793 Share on other sites More sharing options...
redarrow Posted December 6, 2006 Share Posted December 6, 2006 at minuam use addslashes Link to comment https://forums.phpfreaks.com/topic/29590-attack-prevention/#findComment-135871 Share on other sites More sharing options...
willfitch Posted December 6, 2006 Share Posted December 6, 2006 I wouldn't recommend addslashes. If your DB charset is set to GBK multi-byte, one could still inject your script like so:addslashes would change 0xbf27 to 0xbf5c27, which is a valid multi-byte character followed by a single quote[url=http://www.phpfever.com/php-security-sql-injection-overview.html]http://www.phpfever.com/php-security-sql-injection-overview.html[/url] Link to comment https://forums.phpfreaks.com/topic/29590-attack-prevention/#findComment-135872 Share on other sites More sharing options...
tracy Posted December 6, 2006 Author Share Posted December 6, 2006 thanks to all responding to this...I am researching your ideas. Other ideas welcome. Thanks again. Link to comment https://forums.phpfreaks.com/topic/29590-attack-prevention/#findComment-136101 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.