Hi,

Me again...

Just wanted to know, i have this piece of code to enter the data from a registration form of mine into the user db.

I want to use the mysql_real_escape_string to help stop those evil people who enjoys hacking from hacking my DB

$query = "INSERT INTO userinformation (username, first_name, last_name, email, password, date_time) VALUES ('$username', '$first_name', '$last_name', '$email', '$password', '$date_time')";

could someone tell me where i need to put the mysql_real_escape_string function to stop it happening, i am not sure where i place it by or how i code it,

thank you,
genieuk

$username=mysql_real_escape_string($username);

write before the query

Hi,

Me again...

Just wanted to know, i have this piece of code to enter the data from a registration form of mine into the user db.

I want to use the mysql_real_escape_string to help stop those evil people who enjoys hacking from hacking my DB

$query = "INSERT INTO userinformation (username, first_name, last_name, email, password, date_time) VALUES ('$username', '$first_name', '$last_name', '$email', '$password', '$date_time')";

could someone tell me where i need to put the mysql_real_escape_string function to stop it happening, i am not sure where i place it by or how i code it,

thank you,
genieuk

This might also help.

Preventing SQL Injection

Thank you, althou i sorted it that is a very good read. Much appreciated.

Thanks very much.
genieuk

hi im new to preventing sql injection please could some tell me where i need to put this in the query??

$sql = "INSERT INTO voucher(Name, Email, FavouriteArtist, Gallery, VoucherValue, NewCustomer, Added_Time) 
                    VALUES ('{$name}','{$email}','{$featured_artist}','{$nearest_gallery}','50', 'NO', '".time()."')";

Use MySQLi or PDO and use bound parameters instead of string concatenation.