Best way to protect against SQL injection?

[Andrew R]

Hi guys.

What is the recommend way to protect against an SQL injection on the following query?

[code]$query_qy = "SELECT * FROM tablename where name = '$name' && date = '$date'";
$qy= mysql_query($query_qy) or die(mysql_error());
$row_qy = mysql_fetch_assoc($qy);[/code]

Cheers

[redbullmarky]

a good ol' dose of [url=http://www.php.net/mysql_real_escape_string]mysql_real_escape_string[/url] often does the trick.

[code]
<?php
$name = mysql_real_escape_string($name);
$date = mysql_real_escape_string($date);

$query_qy = "SELECT * FROM tablename where name = '$name' && date = '$date'";
$qy= mysql_query($query_qy) or die(mysql_error());
$row_qy = mysql_fetch_assoc($qy);
?>
[/code]

[Orio]

Dont forget to use stripslashes() if magic_quotes is set, before using mysql_real_escape_string(). See more info in the mysql_real_escape_string() function in php.net, there's a very good explanation over there.
Also, check out the info about [url=http://il2.php.net/manual/en/security.database.sql-injection.php]sql injections[/url] in the manual- it's a great resource.

Orio.

[Andrew R]

Cheers for the help.  Is there any other ways I could protect my inputs and outputs?

[Snooble]

restrict the use of hex.

Snooble

[redbullmarky]

[quote author=Snooble link=topic=123708.msg511789#msg511789 date=1169588842]
restrict the use of hex.

Snooble
[/quote]

??? ???

[Snooble]

%53%45%4c%45%43%54%20%2a%20%46%52%4f%4d%20%2a

Try inputting that into your DB.

Snooble