srihari Posted December 7, 2007 Share Posted December 7, 2007 A source of potential problems is considered a dynamic web application is the "polution" of input with bad, if not downright malicious data. /* assumed $name is user data culled from a POSTed HTML form... */ $query = "SELECT * FROM members WHERE firstname = '" . $name ."';" $result = mysql_query($query); Can any one help me out?? How will i catch malformed (malicious?) POST/GET data in $name can any one suggest me the how to proceede with code can i have sample codes??? Quote Link to comment Share on other sites More sharing options...
revraz Posted December 7, 2007 Share Posted December 7, 2007 Do this before your query $name = mysql_real_escape_string ($name); Quote Link to comment Share on other sites More sharing options...
srihari Posted December 7, 2007 Author Share Posted December 7, 2007 $name = mysql_real_escape_string('name) $query = "SELECT * FROM members WHERE firstname = '" . $name ."';" $result = mysql_query($query); whether this works out fine??? or please check the below code also?? <?php if (isset($_POST['first_name'])) { // Connect $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password'); if(!is_resource($link)) { echo "Failed to connect to the server\n"; // ... log the error properly } else { // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON. if(get_magic_quotes_gpc()) { $last_name = stripslashes($_POST['last_name']); } else { $last_name = $_POST['last_name']; } // Make a safe query $query = sprintf("SELECT * FROM `customers` WHERE `last_name` = '%s'", mysql_real_escape_string($last_name, $link); mysql_query($query, $link); if (mysql_affected_rows($link) > 0) { echo "Product inserted\n"; } } } else { echo "Fill the form properly\n"; } ?> Quote Link to comment Share on other sites More sharing options...
srihari Posted December 7, 2007 Author Share Posted December 7, 2007 can any body check the in which one of my above code best solves my specifications?? Quote Link to comment Share on other sites More sharing options...
boushley Posted December 7, 2007 Share Posted December 7, 2007 They both look like they'll do the job... its just what you want to be done. The first one is much shorter and probably more effective... since its made to escape mysql specific things. Instead of just throwing slashes all over. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.