Page 1 of 1

prevent sql injection on form submit

Posted: Tue Oct 25, 2011 3:05 am
by Lphp
I have a long form , if I want every input fields can prevent sql injection on form submit
how to do that :?

Re: prevent sql injection on form submit

Posted: Tue Oct 25, 2011 3:27 am
by Gopesh
Use mysql_real_escape_string() to prevent sql injection.

Code: Select all

<?php
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
?>
Check http://www.digifuzz.net/archives/2007/0 ... -with-php/ .

Re: prevent sql injection on form submit

Posted: Tue Oct 25, 2011 6:43 am
by Celauran
In addition to escaping the values, make sure the data you're getting matches what you're expecting. If you expect a field to contain only numbers, there's no point escaping it if it contains letters; you already know it's junk data and should return an error. Also, at the very least, use mysqli.

Re: prevent sql injection on form submit

Posted: Tue Oct 25, 2011 11:06 am
by egg82

Code: Select all

$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$result = mysql_query("SELECT * FROM `accounts` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."'");
if(!$result){
	echo(mysql_error());
	exit();
}

Re: prevent sql injection on form submit

Posted: Tue Nov 01, 2011 3:16 am
by Lphp
thank you for all the replies
I looking for a loop to take care all the values on form , I don't want to handle it one by one

Re: prevent sql injection on form submit

Posted: Tue Nov 01, 2011 7:45 am
by social_experiment
Lphp wrote:I looking for a loop to take care all the values on form , I don't want to handle it one by one
You could make an array of all the input fields and pass that to a function that wraps each in a function like mysqli_real_escape_string(), and add that value back into an 'escaped' array.