ohdang888 Posted March 5, 2008 Share Posted March 5, 2008 does anyone know of any really good tutorials or tips on how to prevent injections??? Thanks Quote Link to comment Share on other sites More sharing options...
stealth86 Posted March 5, 2008 Share Posted March 5, 2008 I'm assuming you mean SQL injections right? If so check out this http://us.php.net/manual/en/function.mysql-real-escape-string.php at php.net. It's not a tutorial, but it'll get you on the right track. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted March 5, 2008 Share Posted March 5, 2008 Here's the short of it: If the data came from post or get and Magic Quotes is on, call stripslashes() on it first. Then you call mysql_real_escape_string() on it before inserting it into the database. You do not call functions like striptags() or htmlentities() on data going into the database. Rather you reserve that for when you are about to display that data to a browser. Any time you put data into your database, you want it intact as much as possible. Which means the only things you should do to it is stripslashes() (and only if magic quotes is on) followed by mysql_real_escape_string(). Quote Link to comment Share on other sites More sharing options...
ohdang888 Posted March 6, 2008 Author Share Posted March 6, 2008 i don't know if my magic quotes are on or off. Is there a test i can run to see, or where can i change it? Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted March 6, 2008 Share Posted March 6, 2008 The power of Google: http://www.php.net/manual/en/function.get-magic-quotes-gpc.php Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.