Code: Select all
<?php
// replace a single ' with nothing ("")
$user=strreplace($user,"'","");
?>Moderator: General Moderators
Code: Select all
<?php
// replace a single ' with nothing ("")
$user=strreplace($user,"'","");
?>Code: Select all
function xss_check($string){
$string = htmlspecialchars($string, ENT_QUOTES);
return $string;
}Code: Select all
function sql_check($string){
$keywords = array("select", "insert", "union", "delete", "truncate", "grant");
foreach($keywords as $q){
if(ereg($q, $string)){ //possible sql injection
echo "The data you submitted to us looks suspicious and has been logged, please return to the previous page.";
//do some logging of IP address here etc
exit; //stop the page from loading
}
}
}Code: Select all
function makeInputSafe($string) {
if(get_magic_quotes_gpc()) {
$string = htmlspecialchars($string, ENT_NOQUOTES);
} else {
$string = htmlspecialchars($string, ENT_QUOTES);
}
return $string;
}Code: Select all
mysql_query("SELECT * FROM blah WHERE value = '$value'");Code: Select all
mysql_query("SELECT * FROM blah WHERE user='bogusName;delete from tablename'");