Jochen Kaechelin wrote:
Can somebody give me some general hints how to prevent
sql-injection?
I always go this way to build my queries:
function clean_mysql_string($string) {
$clean_string = stripslashes($string);
$clean_string = htmlentities(strip_tags(($clean_string)));
$clean_string = trim($clean_string);
$clean_string = rtrim($clean_string);
$clean_string = mysql_real_escape_string($clean_string);
return($clean_string);
}
$searchstring = clean_mysql_string($_POST["searchstring"]);
$query = " SELECT id,uname,nickname, MATCH(uname,nickname)
AGAINST('$searchstring' IN BOOLEAN MODE) AS mtch
FROM wlh_accounts
HAVING mtch > 0.001
ORDER BY mtch DESC";
$results = mysql_query($query);
while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) {
$values[] = array (
"id" => $row["id"],
"uname" => $row["uname"],
"nickname" => $row["nickname"],
"mtch" => $row["mtch"]
);
}
Is this safe??
AFAIK, all you really need to prevent SQL injection is to use
mysql_real_escape_string and enclose the variable in single-quotes when
you construct the query. Stripslashes is a good idea if magic quotes are
enabled in PHP. htmlentities, strip_tags, trim and rtrim are not
necessary for preventing SQL injection (and the rtrim is redundant).
Look at Example 3 on http://www.php.net/mysql_real_escape_string (but
pay attention to the user comments regarding the is_numeric check).
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]