Jump to content

Forum Topics

MemphiS

By MemphiS
in PHP Coding Help

 Share

Recommended Posts

MemphiS Regular Member

MemphiS

Posted
Posted

I have the PHPMYADMIN column set to TEXT.

 

My question is:  DO i need to check the contents for possible sql injections if im inserting the data in a TEXT column.

 

Currenlty this is my code below i use to check new topics.

 

Have you got a better way of doing this?

 

<?php
if (isset($_POST['subnewtop'])){
$topic  = strip_tags(addslashes($_POST['topcontent']));
$toaddtitle = ucfirst(strip_tags(addslashes($_POST['subject'])));
$mytopictot = mysql_num_rows(mysql_query("SELECT `id` FROM `forum_topic` WHERE `username` = '$username' AND `forum` = 'help'"));

// Validate submited data //
if (empty($topic) || empty($toaddtitle)){
print("Missing contents or subject.");
}elseif (!empty($topic) && !empty($toaddtitle)){
   
if(!ctype_alnum(str_replace(array("[", "/", "]", " ", ".", ":", ")", ",", "!", "#", "$", "%", "^", "(", "_", "-", "+", "=", "?", ";","\r\n"), '', $topic))) {
    print("Invalid contents. BBcodes and spaces are allowed.");
}elseif(ctype_alnum(str_replace(array("[", "/", "]", " ", ".", ":", ")", ",", "!", "#", "$", "%", "^", "(", "_", "-", "+", "=", "?", ";","\r\n"), '', $topic))) {

$topic = str_replace("\r\n","<br />",$topic);

if(!ctype_alnum(str_replace(array(" "), '', $toaddtitle))){
    print("Illegal characters in title.");
    }elseif(ctype_alnum(str_replace(array(" "), '', $toaddtitle))){


if ($mytopictot > 9){
print("You have 10 topics open already. Please await forum clearing before you open any new topics.");
}elseif ($mytopictot < 10){

// Then insert data
}}}}
}
?>
<table border='1' cellpadding='2' cellspacing='0' bordercolor='#000000'>
<tr><td class='header' align='center' colspan="2">New Topic</td></tr>
<tr><td>Subject</td><td><input type="text" name="subject" maxlength="30" class="input" /></td></tr>
<tr><td colspan="2"><textarea name="topcontent" rows="10" cols="40" class="input"></textarea></td></tr>
<tr><td align="right" colspan="2"><input type="submit" name="subnewtop" value="Submit" class="input" /></td></tr>
</table>

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
DO i need to check the contents for possible sql injections if im inserting the data in a TEXT column

 

Yes, you need to validate/clean user input anytime you use it in any query, even SELECT statements, no matter what the field type is.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.