Jochen Kaechelin wrote:
Can somebody give me some general hints how to prevent sql-injection?I always go this way to build my queries: function clean_mysql_string($string) { $clean_string = stripslashes($string); $clean_string = htmlentities(strip_tags(($clean_string))); $clean_string = trim($clean_string); $clean_string = rtrim($clean_string); $clean_string = mysql_real_escape_string($clean_string); return($clean_string); }$searchstring = clean_mysql_string($_POST["searchstring"]);$query = " SELECT id,uname,nickname, MATCH(uname,nickname) AGAINST('$searchstring' IN BOOLEAN MODE) AS mtch FROM wlh_accounts HAVING mtch > 0.001 ORDER BY mtch DESC"; $results = mysql_query($query); while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) { $values[] = array ( "id" => $row["id"], "uname" => $row["uname"], "nickname" => $row["nickname"], "mtch" => $row["mtch"] ); } Is this safe??
AFAIK, all you really need to prevent SQL injection is to use mysql_real_escape_string and enclose the variable in single-quotes when you construct the query. Stripslashes is a good idea if magic quotes are enabled in PHP. htmlentities, strip_tags, trim and rtrim are not necessary for preventing SQL injection (and the rtrim is redundant).
Look at Example 3 on http://www.php.net/mysql_real_escape_string (but pay attention to the user comments regarding the is_numeric check).
-- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
