I've read a few tutorials but I am still confused a bit. To protect from this would this be sufficient? This is when receiving a value from a form. I've read that there is a built in function and that this could interfere, anyone have any clue what I am talking about?
$subanswer= mysql_real_escape_string($_POST['jokeanswer']);
mysql injection protection
Moderator: General Moderators
-
twilightnights
- Forum Newbie
- Posts: 3
- Joined: Sun Jan 28, 2007 11:38 pm
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
mysql_real_escape_string() will only protect your queries against escape character injection attacks. If your query is not properly engineered, there are other attacks that the function will not be able to prevent, so more is needed. Properly validating and verifying the data is as expected is equally important.
magic_quotes_gpc and its siblings fiddle with input values. Your code should be written in such a way that it will work the same, in the end, whether the directives are on or not. get_magic_quotes_gpc() et al can be used in conjunction with stripslashes().
magic_quotes_gpc and its siblings fiddle with input values. Your code should be written in such a way that it will work the same, in the end, whether the directives are on or not. get_magic_quotes_gpc() et al can be used in conjunction with stripslashes().