Can somebody give me some general hints how to prevent
sql-injection?
I always go this way to build my queries:
function clean_mysql_string($string) {
$clean_string = stripslashes($string);
$clean_string = htmlentities(strip_tags(($clean_string)));
$clean_string = trim($clean_string);
$clean_string = rtrim($clean_string);
$clean_string = mysql_real_escape_string($clean_string);
return($clean_string);
}
$searchstring = clean_mysql_string($_POST["searchstring"]);
$query = " SELECT id,uname,nickname, MATCH(uname,nickname)
AGAINST('$searchstring' IN BOOLEAN MODE) AS mtch
FROM wlh_accounts
HAVING mtch > 0.001
ORDER BY mtch DESC";
$results = mysql_query($query);
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
$values[] = array (
"id" => $row["id"],
"uname" => $row["uname"],
"nickname" => $row["nickname"],
"mtch" => $row["mtch"]
);
}
Is this safe??
--
Jochen Kaechelin, fvgi242ss, wlanhacking.de
http://mail.wlanhacking.de/cgi-bin/mailman/listinfo
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
