Thread: mySQL security
View Single Post
Murlyn

 
Murlyn's Avatar
 
Member Since: Jun 11, 2003
Location: Mount Vernon, WA
Posts: 4,909
Murlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to allMurlyn is a name known to all
Mac Specs: MacBook Pro 2.6 GHz Core 2 Duo 4GB RAM OS 10.5.2

Murlyn is offline
Yeah I mean using PHP_SELF.. try to make sure and use the new global variables though.. so $_SERVER['PHP_SELF'] and $_POST['firstname'] etc etc And actually you wont need to do anything to that input because it should automatically add slashes to your incoming data..

So let's say $_POST['lastname'] was O'Connel then it would actually be O\'Connel which escapes the apostrophe.. and tells mysql to not use it as part of the sql statement.. that it's actually part of the value..

So something like this:

INSERT INTO tablename VALUES ('{$_POST['firstname']}', '{$_POST['lastname']}');

As you can see, surrounding the variables are single quotes.. now since the data within will have their single quotes escaped.. it shouldnt matter what kind of stuff someone puts in the fields.. they shouldnt be able to add any damaging code, without it throwing up an error.
QUOTE Thanks