Page 1 of 1

Database Injections

Posted: Sun Jul 30, 2006 11:16 am
by joesmithf1
Hi,

I am using PHP language to insert my clients' data into my mySQL database. Now, I know in ASP, there are some methods to prevent 'sql injections.' For example, in ASP, I can replace single quotes(') with a double quotes(") by doing this: CStr(replace(Request.form("firstname"),"'", "''")) & "'" & ",'" & _

Do I have to worry about this using php and mySQL? If so, can you please give me an example?

Thank you!

Posted: Sun Jul 30, 2006 11:19 am
by feyd
yes, you do. We've talked about it on many occasions, have a poke around.

mysql_real_escape_string() is the last step in the process.