JeBu Posted July 24, 2007 Share Posted July 24, 2007 How is it safe to send info to MySQL database? Should I encrypt/encode the data before sending it? for example: <?php ... //connection is established ... $insert = "INSERT INTO table_name VALUES('$var1', '$var2')"; mysql_query($insert); ?> Is it possible to use get access to my database, i.e to DROP TABLE/DATABASE or smth. Have heard of MySQL injection Any help/link is welcome Link to comment https://forums.phpfreaks.com/topic/61601-couple-of-questions-about-sending-info-to-mysql-db/ Share on other sites More sharing options...
tomfmason Posted July 24, 2007 Share Posted July 24, 2007 I would first clean it using something like mysql_real_escape_string. This should prevent most types of insertion. Also you need to list the field names in your query like this $sql = "INSERT (`field1`, `field2`) INTO `table` VALUES('$var1', '$var2')"; Link to comment https://forums.phpfreaks.com/topic/61601-couple-of-questions-about-sending-info-to-mysql-db/#findComment-306610 Share on other sites More sharing options...
GingerRobot Posted July 24, 2007 Share Posted July 24, 2007 Well, you dont actually HAVE to list the field names. If you're inserting into all of the fields, its perfectly valid not to. Link to comment https://forums.phpfreaks.com/topic/61601-couple-of-questions-about-sending-info-to-mysql-db/#findComment-306617 Share on other sites More sharing options...
JeBu Posted July 24, 2007 Author Share Posted July 24, 2007 Well, you dont actually HAVE to list the field names. If you're inserting into all of the fields, its perfectly valid not to. Yes, I know that (using 'NULL's for example for id's). Link to comment https://forums.phpfreaks.com/topic/61601-couple-of-questions-about-sending-info-to-mysql-db/#findComment-306619 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.