54
http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page
following are the steps i have followed after the form values are submitted to a php file.
step 1.
Expand|Select|Wrap|Line Numbers
- if(get_magic_quotes_gpc())
- {
- $username = stripslashes($_POST["username"]);
- .........
- }
- else
- {
- $username = $_POST["username"];
- .........
- }
Expand|Select|Wrap|Line Numbers
- $conn = mysql_connect($hostname, $user, $password);
Expand|Select|Wrap|Line Numbers
- $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn),
- ...);
Expand|Select|Wrap|Line Numbers
- if(!$conn)
- {
- header("Location: http://website/dberror.html");
- exit;
- }
- else
- {
- mysql_select_db($database, $conn);
- $insertqueryresult = mysql_query($insertquery);
- if(!$insertqueryresult) {
- header("Location: http://website/error.html");
- exit; }
- }
problems.
i have also used a simple sql insert query like
Expand|Select|Wrap|Line Numbers
- $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";
the information entered because of the ' character and as per the code error.html file is being displayed where as if i use
Expand|Select|Wrap|Line Numbers
- $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn),
- ...);
a)
so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though
there are several ways to avoid sql injection.
b)
for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as
abc'''def
based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with '
characters along with the data example as i mentioned = abc'''def
please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly
and at which step.
any help will be greatly appreciated.
thanks.
