sql injection question
Posted: Fri Jun 15, 2007 4:49 pm
feyd | Please use
feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
I've been reading about preventing sql injection by using the function below. Problem is when I run the function below and the escape characters are added for instance the value '2007-06-01' now becomes \'2007-06-01\' , but when passed to mysql I now get a syntax error where the \ was placed. I'm sure I missing something, but don't know what it is. Is there some setting on mysql that has to be set to handle the escape characters? I'm using mysql 5.0 and php 5.0.
ThanksCode: Select all
function sql_quote( $value )
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}
return $value;
}feyd | Please use
Code: Select all
,Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]