0

Hi all, I have ben tring to write some code that will help protect my forms \ data input

I have wrote the following for anyone to use \ comment \ edit and improve.

Im new to php and have read alot about securing data input from sql injection.

If anyone could reply with how the following can be enhanced or comment so others could use this piece of script, It will not only help me but others too,

Many thanks, I look forward to yuor replies -

// if you would like to use this script, simply change the values 
// of each variable to match those of yours
function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	//Sanitize the POST values
	$gender = clean($_POST['gender']);
	$fname = clean($_POST['fname']);
	$lname = clean($_POST['lname']);
	$dob_y = clean($_POST['dob_y']);
	$dob_m = clean($_POST['dob_m']);
	$dob_d = clean($_POST['dob_d']);
	$age = clean($_POST['age']);
	$login = clean($_POST['login']);
	$password = clean($_POST['password']);
	$cpassword = clean($_POST['cpassword']);
	$email = clean($_POST['email']);
	$mobnum = clean($_POST['mobnum']);
	$country = clean($_POST['country']);
	$city = clean($_POST['city']);
	$img1 = clean($_POST['img1']);
4
Contributors
3
Replies
4
Views
7 Years
Discussion Span
Last Post by Borzoi
0

Looks like you have the basic idea, real_escape_string() is good for preventing SQL injection because it escapes special characters. It helps to screen out malicious input from a user.

If you want to be sure the actual format of the input is acceptable for the field or database element it will be stored to, you will need to take it a step further. If you are familiar with them and their use, I would suggest the use of regular expressions to verify the format for your password and e-mail inputs. There are also commands such as is_intger() or is_string() that check what type of data a variable contains.

Edited by Fbody: n/a

0

I came across a siuation tat i need to store multiline inputs with paragraps. and i need to insert ( ' ) symbol in sql db thro php. I'm a newbie canany one help??

I used multiline textbox for input. It successfull get inserted to db but when i qurey back, it comes as a single line.

1

I came across a siuation tat i need to store multiline inputs with paragraps. and i need to insert ( ' ) symbol in sql db thro php. I'm a newbie canany one help??

I used multiline textbox for input. It successfull get inserted to db but when i qurey back, it comes as a single line.

You should start your own topic to get the help you need.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.