Safe Querying for PHP/MySql

Forum Moderators: coopster

Message Too Old, No Replies

Safe Querying for PHP/MySql

BlackRaven

9:15 pm on Jun 29, 2006 (gmt 0)

is my current function for filtering user input enough?

function safequery($check) {
$check_notallowed = array("=",";","%");
$check=str_replace($check_notallowed,'',$check);
$check=htmlentities($check);
$check = str_replace("?", "%s", $check);
return $check;
}

thanks

dreamcatcher

10:07 pm on Jun 29, 2006 (gmt 0)

Hi BlackRaven,

Use mysql_real_escape_string [uk.php.net] for safe importing of data into your database. I generally convert apostrophes and double quotes to char entities and let the aforementioned function take care of the rest.

BlackRaven

8:12 am on Jun 30, 2006 (gmt 0)

thanks dreamcatcher, but could you tell me how to properly escape single and double quotes? i keep getting forward slash with my quote after using the mysql_real_escape_string function

Sekka

8:30 am on Jun 30, 2006 (gmt 0)

As dreamcatcher said, use htmlentities () on the string to convert apostrophes and double quotes to HTML special character codes. This will solve your problem. :)