help on preventing injections

[ohdang888]

does anyone know of any really good tutorials or tips on how to prevent injections???

 

Thanks

[stealth86]

I'm assuming you mean SQL injections right?

 

If so check out this http://us.php.net/manual/en/function.mysql-real-escape-string.php at php.net. It's not a tutorial, but it'll get you on the right track.

[roopurt18]

Here's the short of it:

 

If the data came from post or get and Magic Quotes is on, call stripslashes() on it first.

 

Then you call mysql_real_escape_string() on it before inserting it into the database.

 

You do not call functions like striptags() or htmlentities() on data going into the database.  Rather you reserve that for when you are about to display that data to a browser.

 

Any time you put data into your database, you want it intact as much as possible.  Which means the only things you should do to it is stripslashes() (and only if magic quotes is on) followed by mysql_real_escape_string().

[ohdang888]

i don't know if my magic quotes are on or off. Is there a test i can run to see, or where can i change it?

[roopurt18]

The power of Google:

http://www.php.net/manual/en/function.get-magic-quotes-gpc.php