PHP - Securing data input again sql injection

Question

LloydFarrell 0 Junior Poster

14 Years Ago

Hi all, I have ben tring to write some code that will help protect my forms \ data input

I have wrote the following for anyone to use \ comment \ edit and improve.

Im new to php and have read alot about securing data input from sql injection.

If anyone could reply with how the following can be enhanced or comment so others could use this piece of script, It will not only help me but others too,

Many thanks, I look forward to yuor replies -

// if you would like to use this script, simply change the values 
// of each variable to match those of yours
function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	//Sanitize the POST values
	$gender = clean($_POST['gender']);
	$fname = clean($_POST['fname']);
	$lname = clean($_POST['lname']);
	$dob_y = clean($_POST['dob_y']);
	$dob_m = clean($_POST['dob_m']);
	$dob_d = clean($_POST['dob_d']);
	$age = clean($_POST['age']);
	$login = clean($_POST['login']);
	$password = clean($_POST['password']);
	$cpassword = clean($_POST['cpassword']);
	$email = clean($_POST['email']);
	$mobnum = clean($_POST['mobnum']);
	$country = clean($_POST['country']);
	$city = clean($_POST['city']);
	$img1 = clean($_POST['img1']);

php

4 Contributors
3 Replies
160 Views
8 Months Discussion Span
Latest Post 14 Years Ago Latest Post by Borzoi

Borzoi 24 Posting Whiz

14 Years Ago

I came across a siuation tat i need to store multiline inputs with paragraps. and i need to insert ( ' ) symbol in sql db thro php. I'm a newbie canany one help??
I used multiline textbox for input. It successfull get inserted to db but when i qurey back, it comes as a single line.

You should start your own topic to get the help you need.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Fbody 682 Posting Maven Featured Poster · Answer 1 · 2010-01-12T09:33:11+00:00

Looks like you have the basic idea, real_escape_string() is good for preventing SQL injection because it escapes special characters. It helps to screen out malicious input from a user.

If you want to be sure the actual format of the input is acceptable for the field or database element it will be stored to, you will need to take it a step further. If you are familiar with them and their use, I would suggest the use of regular expressions to verify the format for your password and e-mail inputs. There are also commands such as is_intger() or is_string() that check what type of data a variable contains.

bertin88 0 Newbie Poster · Answer 2 · 2010-10-12T11:40:28+00:00

I came across a siuation tat i need to store multiline inputs with paragraps. and i need to insert ( ' ) symbol in sql db thro php. I'm a newbie canany one help??

I used multiline textbox for input. It successfull get inserted to db but when i qurey back, it comes as a single line.