Hi,
I am using PHP language to insert my clients' data into my mySQL database. Now, I know in ASP, there are some methods to prevent 'sql injections.' For example, in ASP, I can replace single quotes(') with a double quotes(") by doing this: CStr(replace(Request.form("firstname"),"'", "''")) & "'" & ",'" & _
Do I have to worry about this using php and mySQL? If so, can you please give me an example?
Thank you!
Database Injections
Moderator: General Moderators
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
yes, you do. We've talked about it on many occasions, have a poke around.
mysql_real_escape_string() is the last step in the process.
mysql_real_escape_string() is the last step in the process.