Jump to content

Avoiding SQL Injection Attacks

dprichard

By dprichard
in PHP Coding Help

Recommended Posts

dprichard Regular Member

dprichard

Posted
Posted

Is this going to be okay for avoiding SQL Injection Attacks? 

 

Thanks for any info!

 

if(isset($_POST['add_folder'])) {
$folder_name = mysql_real_escape_string($_POST["folder_name"]);
$folder_description = mysql_real_escape_string($_POST["folder_description"]);
$folder_creator = mysql_real_escape_string($_POST["folder_creator"]);
$folder_status = mysql_real_escape_string($_POST["folder_status"]);
$folder_order = mysql_real_escape_string($_POST["folder_order"]);
$folder_doc_cat = mysql_real_escape_string($_POST["folder_doc_cat"]);
mysql_query("INSERT INTO folders (folder_name, folder_description, folder_creator, folder_status, folder_order, folder_doc_cat) VALUES('$folder_name', '$folder_description', '$folder_creator', '$folder_status', '$folder_order', '$folder_doc_cat')") or die(mysql_error());
$record_success = "Success";
}

Link to comment
https://forums.phpfreaks.com/topic/55475-avoiding-sql-injection-attacks/
Share on other sites
Link Member

Link

Posted
Posted

This is a better one listed on the PHP website. 

 

function quote($value) {
    if( is_array($value) ) { 
        return array_map("checkQuery", $value);
    } else {
        if(get_magic_quotes_gpc()) {
            $value = stripslashes($value);
        }
        if($value == '') {
            $value = 'NULL';
        } 
        if(!is_numeric($value) || $value[0] == '0') {
            $value = "'".mysql_real_escape_string($value)."'";
        }
        return $value;
    	}
}

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.