AdRock Posted February 22, 2007 Share Posted February 22, 2007 I have this code to insert data into my database but I have no idea on how to prevent SQL injection attacks. $name = stripslashes($_POST['txtName']); $message = stripslashes($_POST['txtMessage']); include_once("../includes/connection.php"); // The URLs matched so send the email $date = date("Y/m/d"); $query = "INSERT INTO news VALUES ('','$name','$message','$date','$pic','n')"; mysql_query($query); mysql_close(); Can anyone please tell me how I prevent them? Link to comment https://forums.phpfreaks.com/topic/39718-sql-injection-attacks-prevention/ Share on other sites More sharing options...
corbin Posted February 22, 2007 Share Posted February 22, 2007 Google it. Link to comment https://forums.phpfreaks.com/topic/39718-sql-injection-attacks-prevention/#findComment-191759 Share on other sites More sharing options...
btherl Posted February 23, 2007 Share Posted February 23, 2007 Call mysql_real_escape_string() on every string that you pass to the database. For non-string data, you will have to do other checks. To get an idea of what's going on, try printing your data before and after escaping, as well as the query. Try inputs which include characters like ', ", ; Link to comment https://forums.phpfreaks.com/topic/39718-sql-injection-attacks-prevention/#findComment-191841 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.