MemphiS Posted September 14, 2007 Share Posted September 14, 2007 When ive ste the mysql table row to TEXT does this mean it will only read any saved data in it as text? just asking as i dont wish to have an sql injection leak in my forum posts. Currently i validate most the characters but ones like & , ' " ; i just default it to an error and dont save it in the db. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 14, 2007 Share Posted September 14, 2007 if your worried about injection attacks then do <?php $variable= $_POST[variable]; $variable= mysql_escape_real_string($variable);?> Link to comment Share on other sites More sharing options...
marcus Posted September 14, 2007 Share Posted September 14, 2007 Text is basically any character of your character Unicode. Normal text fields hold up to 65,000 bytes, if it exceeds it will truncate itself. MEDIUMTEXT holds up to 16 million characters. LONGTEXT holds up to 4 trillion characters. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 14, 2007 Share Posted September 14, 2007 mysql_real_escape_string will escape all special characters before inserting to database Link to comment Share on other sites More sharing options...
MemphiS Posted September 14, 2007 Author Share Posted September 14, 2007 Thanks...i already have strip_tags(addslashes()) and check the input.. with ctype_alnum() I was simply asking if the sql TEXT will go into the db as straight TEXT so characters like ' " , & || wont cause problems. Link to comment Share on other sites More sharing options...
marcus Posted September 14, 2007 Share Posted September 14, 2007 It should go successfully. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 14, 2007 Share Posted September 14, 2007 your still better off adding mysql_real_escape_string Link to comment Share on other sites More sharing options...
redarrow Posted September 14, 2007 Share Posted September 14, 2007 mysql_real_escape_string($what_ever) you need to read and try ok. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 14, 2007 Share Posted September 14, 2007 mysql_real_escape_string is the best way to plug SQL injection leaks. Link to comment Share on other sites More sharing options...
marcus Posted September 14, 2007 Share Posted September 14, 2007 I think we get the point. Link to comment Share on other sites More sharing options...
Recommended Posts