dprichard Posted June 13, 2007 Share Posted June 13, 2007 Is this going to be okay for avoiding SQL Injection Attacks? Thanks for any info! if(isset($_POST['add_folder'])) { $folder_name = mysql_real_escape_string($_POST["folder_name"]); $folder_description = mysql_real_escape_string($_POST["folder_description"]); $folder_creator = mysql_real_escape_string($_POST["folder_creator"]); $folder_status = mysql_real_escape_string($_POST["folder_status"]); $folder_order = mysql_real_escape_string($_POST["folder_order"]); $folder_doc_cat = mysql_real_escape_string($_POST["folder_doc_cat"]); mysql_query("INSERT INTO folders (folder_name, folder_description, folder_creator, folder_status, folder_order, folder_doc_cat) VALUES('$folder_name', '$folder_description', '$folder_creator', '$folder_status', '$folder_order', '$folder_doc_cat')") or die(mysql_error()); $record_success = "Success"; } Quote Link to comment https://forums.phpfreaks.com/topic/55475-avoiding-sql-injection-attacks/ Share on other sites More sharing options...
Link Posted June 13, 2007 Share Posted June 13, 2007 This is a better one listed on the PHP website. function quote($value) { if( is_array($value) ) { return array_map("checkQuery", $value); } else { if(get_magic_quotes_gpc()) { $value = stripslashes($value); } if($value == '') { $value = 'NULL'; } if(!is_numeric($value) || $value[0] == '0') { $value = "'".mysql_real_escape_string($value)."'"; } return $value; } } Quote Link to comment https://forums.phpfreaks.com/topic/55475-avoiding-sql-injection-attacks/#findComment-274153 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.