asmith Posted December 21, 2007 Share Posted December 21, 2007 leaving an input filed with no limit ,can cause sql injections . what about a text box ? i want to allow the user to type anything he wants for something like "comments" . so he can use all the symbols ,space , everything . and i want to record that in mysql field. how can i prevent my text box not to allowed sql injections ? ( hmm i can combine the incoming text with some symbols at the its front and its end , so to make it change from what it is exactly , but is there a better way for doing this ? ) Link to comment https://forums.phpfreaks.com/topic/82669-text-box-security/ Share on other sites More sharing options...
papaface Posted December 21, 2007 Share Posted December 21, 2007 http://uk2.php.net/mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/82669-text-box-security/#findComment-420452 Share on other sites More sharing options...
ToonMariner Posted December 21, 2007 Share Posted December 21, 2007 mysql_real_escape_string - that does it all for you. EXCEPT - I did read an article recently (which I can't locate right now) stating that if you entered the utf8 (either that or a similar character code) for a single quote then it is not escaped by mysql_real_escape_string but is evaluted as a single quote in a string and hence would permit injection. Inject is only really a problem with select queries anyway - inserts and updates would only be affected in rare situations where your construction of the query string allowed the user inputted string to affect which/howmany rows were affected.... Link to comment https://forums.phpfreaks.com/topic/82669-text-box-security/#findComment-420453 Share on other sites More sharing options...
Dane Posted December 21, 2007 Share Posted December 21, 2007 So how would you come across not allowing that ^^^^ Thanks Link to comment https://forums.phpfreaks.com/topic/82669-text-box-security/#findComment-420555 Share on other sites More sharing options...
kenrbnsn Posted December 21, 2007 Share Posted December 21, 2007 I believe this EXCEPT - I did read an article recently (which I can't locate right now) stating that if you entered the utf8 (either that or a similar character code) for a single quote then it is not escaped by mysql_real_escape_string but is evaluted as a single quote in a string and hence would permit injection. is incorrect. The addslashes() function has this problem, not mysql_real_escape_string(). Ken Link to comment https://forums.phpfreaks.com/topic/82669-text-box-security/#findComment-420598 Share on other sites More sharing options...
cooldude832 Posted December 21, 2007 Share Posted December 21, 2007 well the length isn't an issue cause the sql field type didctates max size. Link to comment https://forums.phpfreaks.com/topic/82669-text-box-security/#findComment-420599 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.