Comments on: Writing Secure SQL Queries http://phpstarter.net/2008/02/writing-secure-sql-queries/ PHP Tips & Tools From Starters to Experts Sun, 15 Jan 2012 02:04:09 +0000 hourly 1 http://wordpress.org/?v=3.3 By: Matt http://phpstarter.net/2008/02/writing-secure-sql-queries/comment-page-1/#comment-4 Matt Mon, 03 Mar 2008 06:00:15 +0000 http://wp.pr0gr4mm3r.com/mysql/writing-secure-sql-queries/#comment-4 I knew about SQL injection, but I actually never tried it. I copied your sample into a login form on my site (after removing the escape logic), and it does work. Neat-O! (I had to replace all those funky quotes in your sample code though). I escape the user input in my PHP code with this function: [code language='php'] function escapeData($data) { if(ini_get('magic_quotes_gpc')) $data = stripslashes($data); return mysql_real_escape_string($data); } [/code] It's more portable than just using mysql_real_escape_string() everywhere. I knew about SQL injection, but I actually never tried it. I copied your sample into a login form on my site (after removing the escape logic), and it does work. Neat-O! (I had to replace all those funky quotes in your sample code though).

I escape the user input in my PHP code with this function:

function escapeData($data)
{
	if(ini_get('magic_quotes_gpc'))
		$data = stripslashes($data);
	return mysql_real_escape_string($data);
}

It’s more portable than just using mysql_real_escape_string() everywhere.

]]> By: Andrew Wells http://phpstarter.net/2008/02/writing-secure-sql-queries/comment-page-1/#comment-5 Andrew Wells Mon, 03 Mar 2008 05:21:36 +0000 http://wp.pr0gr4mm3r.com/mysql/writing-secure-sql-queries/#comment-5 Yeah, Wordpress likes to mess with my quotes. I have been looking into how to disable that fancy formatting. That's a good idea with putting in that magic quotes test. I was escaping strings on this one server, and everything was being outputted with extra backslashes. Turned out it was because "magic_quotes_gpc" was enabled. I always disable that function whenever possible because I secure it myself. Yeah, WordPress likes to mess with my quotes. I have been looking into how to disable that fancy formatting.

That’s a good idea with putting in that magic quotes test. I was escaping strings on this one server, and everything was being outputted with extra backslashes. Turned out it was because “magic_quotes_gpc” was enabled. I always disable that function whenever possible because I secure it myself.

]]>