JeBu Posted July 24, 2007 Share Posted July 24, 2007 How is it safe to send info to MySQL database? Should I encrypt/encode the data before sending it? for example: <?php ... //connection is established ... $insert = "INSERT INTO table_name VALUES('$var1', '$var2')"; mysql_query($insert); ?> Is it possible to use get access to my database, i.e to DROP TABLE/DATABASE or smth. Have heard of MySQL injection Any help/link is welcome Quote Link to comment Share on other sites More sharing options...
tomfmason Posted July 24, 2007 Share Posted July 24, 2007 I would first clean it using something like mysql_real_escape_string. This should prevent most types of insertion. Also you need to list the field names in your query like this $sql = "INSERT (`field1`, `field2`) INTO `table` VALUES('$var1', '$var2')"; Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted July 24, 2007 Share Posted July 24, 2007 Well, you dont actually HAVE to list the field names. If you're inserting into all of the fields, its perfectly valid not to. Quote Link to comment Share on other sites More sharing options...
JeBu Posted July 24, 2007 Author Share Posted July 24, 2007 Well, you dont actually HAVE to list the field names. If you're inserting into all of the fields, its perfectly valid not to. Yes, I know that (using 'NULL's for example for id's). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.