asmith Posted December 21, 2007 Share Posted December 21, 2007 leaving an input filed with no limit ,can cause sql injections . what about a text box ? i want to allow the user to type anything he wants for something like "comments" . so he can use all the symbols ,space , everything . and i want to record that in mysql field. how can i prevent my text box not to allowed sql injections ? ( hmm i can combine the incoming text with some symbols at the its front and its end , so to make it change from what it is exactly , but is there a better way for doing this ? ) Quote Link to comment Share on other sites More sharing options...
papaface Posted December 21, 2007 Share Posted December 21, 2007 http://uk2.php.net/mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted December 21, 2007 Share Posted December 21, 2007 mysql_real_escape_string - that does it all for you. EXCEPT - I did read an article recently (which I can't locate right now) stating that if you entered the utf8 (either that or a similar character code) for a single quote then it is not escaped by mysql_real_escape_string but is evaluted as a single quote in a string and hence would permit injection. Inject is only really a problem with select queries anyway - inserts and updates would only be affected in rare situations where your construction of the query string allowed the user inputted string to affect which/howmany rows were affected.... Quote Link to comment Share on other sites More sharing options...
Dane Posted December 21, 2007 Share Posted December 21, 2007 So how would you come across not allowing that ^^^^ Thanks Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted December 21, 2007 Share Posted December 21, 2007 I believe this EXCEPT - I did read an article recently (which I can't locate right now) stating that if you entered the utf8 (either that or a similar character code) for a single quote then it is not escaped by mysql_real_escape_string but is evaluted as a single quote in a string and hence would permit injection. is incorrect. The addslashes() function has this problem, not mysql_real_escape_string(). Ken Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted December 21, 2007 Share Posted December 21, 2007 well the length isn't an issue cause the sql field type didctates max size. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.