AdRock Posted February 22, 2007 Share Posted February 22, 2007 I have this code to insert data into my database but I have no idea on how to prevent SQL injection attacks. $name = stripslashes($_POST['txtName']); $message = stripslashes($_POST['txtMessage']); include_once("../includes/connection.php"); // The URLs matched so send the email $date = date("Y/m/d"); $query = "INSERT INTO news VALUES ('','$name','$message','$date','$pic','n')"; mysql_query($query); mysql_close(); Can anyone please tell me how I prevent them? Quote Link to comment Share on other sites More sharing options...
corbin Posted February 22, 2007 Share Posted February 22, 2007 Google it. Quote Link to comment Share on other sites More sharing options...
btherl Posted February 23, 2007 Share Posted February 23, 2007 Call mysql_real_escape_string() on every string that you pass to the database. For non-string data, you will have to do other checks. To get an idea of what's going on, try printing your data before and after escaping, as well as the query. Try inputs which include characters like ', ", ; Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.