MemphiS Posted November 15, 2007 Share Posted November 15, 2007 I have the PHPMYADMIN column set to TEXT. My question is: DO i need to check the contents for possible sql injections if im inserting the data in a TEXT column. Currenlty this is my code below i use to check new topics. Have you got a better way of doing this? <?php if (isset($_POST['subnewtop'])){ $topic = strip_tags(addslashes($_POST['topcontent'])); $toaddtitle = ucfirst(strip_tags(addslashes($_POST['subject']))); $mytopictot = mysql_num_rows(mysql_query("SELECT `id` FROM `forum_topic` WHERE `username` = '$username' AND `forum` = 'help'")); // Validate submited data // if (empty($topic) || empty($toaddtitle)){ print("Missing contents or subject."); }elseif (!empty($topic) && !empty($toaddtitle)){ if(!ctype_alnum(str_replace(array("[", "/", "]", " ", ".", ":", ")", ",", "!", "#", "$", "%", "^", "(", "_", "-", "+", "=", "?", ";","\r\n"), '', $topic))) { print("Invalid contents. BBcodes and spaces are allowed."); }elseif(ctype_alnum(str_replace(array("[", "/", "]", " ", ".", ":", ")", ",", "!", "#", "$", "%", "^", "(", "_", "-", "+", "=", "?", ";","\r\n"), '', $topic))) { $topic = str_replace("\r\n","<br />",$topic); if(!ctype_alnum(str_replace(array(" "), '', $toaddtitle))){ print("Illegal characters in title."); }elseif(ctype_alnum(str_replace(array(" "), '', $toaddtitle))){ if ($mytopictot > 9){ print("You have 10 topics open already. Please await forum clearing before you open any new topics."); }elseif ($mytopictot < 10){ // Then insert data }}}} } ?> <table border='1' cellpadding='2' cellspacing='0' bordercolor='#000000'> <tr><td class='header' align='center' colspan="2">New Topic</td></tr> <tr><td>Subject</td><td><input type="text" name="subject" maxlength="30" class="input" /></td></tr> <tr><td colspan="2"><textarea name="topcontent" rows="10" cols="40" class="input"></textarea></td></tr> <tr><td align="right" colspan="2"><input type="submit" name="subnewtop" value="Submit" class="input" /></td></tr> </table> Link to comment https://forums.phpfreaks.com/topic/77423-forum-topics/ Share on other sites More sharing options...
trq Posted November 15, 2007 Share Posted November 15, 2007 Quote DO i need to check the contents for possible sql injections if im inserting the data in a TEXT column Yes, you need to validate/clean user input anytime you use it in any query, even SELECT statements, no matter what the field type is. Link to comment https://forums.phpfreaks.com/topic/77423-forum-topics/#findComment-391960 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.