cliftonbazaar Posted March 30, 2018 Share Posted March 30, 2018 I have the following code $sql_statement = "SELECT * FROM toon WHERE ally_code = '".$user['ally_code']."' and name = '".$toons_array[$i][1]."' LIMIT 1"; Which works except if the persons 'name' has quotation marks in it, for example the name of Adam "Danger" Smith doesn't match with Adam Danger Smith. My best attempt was $sql_statement = "SELECT * FROM toon WHERE ally_code = '".$user['ally_code']."' and trim( both '"' from name) = '".$toons_array[$i][1]."' LIMIT 1"; Any suggestions please? Link to comment Share on other sites More sharing options...
requinix Posted March 30, 2018 Share Posted March 30, 2018 You've discovered SQL injection. It's not a bug, it's a vulnerability. Learn to use prepared statements instead of putting values directly into the query. Link to comment Share on other sites More sharing options...
cliftonbazaar Posted March 31, 2018 Author Share Posted March 31, 2018 Then wouldn't stripping the quotation marks also stop the injection attack? At the moment it only happens when there are quotation marks around their middle name, this is pulled information from a third party site so I can't stop it on their end. Link to comment Share on other sites More sharing options...
mac_gyver Posted March 31, 2018 Share Posted March 31, 2018 Then wouldn't stripping the quotation marks also stop the injection attack? no. sql can be injected that contains no quotes, for which your proposed method won't protect against. do what was stated and use prepared queries, with place-holders for the data values in the sql query statement, then provide the data values when the query gets executed. this will also greatly simplify your sql query statement, because the php variables, single quotes around the values. and the concatenation dots will be removed. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.