Protection against SQL injection attacks!!!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Protection against SQL injection attacks!!!

Post by Joe »

I am having some troubles with others using SQL injection within my site. Is there any method to remove or replace specific characters like *, ;, ',", etc etc, from login or sign-up forms..

I have tried:

$username = str_replace("''","'", $username);

And still had no luck. Any suggestions will help.


Regards



Joe 8)
Deemo
Forum Contributor
Posts: 418
Joined: Sun Jan 18, 2004 11:48 am
Location: Washington DC

Post by Deemo »

for the str_replace thing, try str_replace(' " ', ' ', $username)

that is single quotes with double qoutes inside, i spaced it out so u could see, but there shouldnt be spaces
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

hmm...

Post by Joe »

Still No Luck... Any other methods???
User avatar
Ixplodestuff8
Forum Commoner
Posts: 60
Joined: Mon Feb 09, 2004 8:17 pm
Location: Queens, New York

Post by Ixplodestuff8 »

you could try addslashes() to escape quotes.

$username = addslashes ( $username );
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

or [php_man]mysql_escape_string[/php_man]()

Mac
Post Reply