Everybody! This is important. In a few days, these forums will be moving over to using the totally sweet Discourse platform. To ensure this migration happens smoothly with no loss of content, these forums are currently in a read-only mode. I do apologize for the inconvenience.

There is never a good time to turn the forums off for an extended period of time, but I promise the new forums will be a billion times better. I'm pretty sure of it.

See you all on the other side in a few days, and if you have any (non-technical) questions, please e-mail me at kirupa@kirupa.com. For technical questions, try to find a tutorial that corresponds to what you are looking for and post in the comments section of that page.

Cheers,
Kirupa

Results 1 to 3 of 3

Thread: MySQL Injection

  1. #1

    MySQL Injection

    At the end of a Flash game I'm developing I have a submission form which submits the players score, as well as user entered values for first name, last name, email address etc.

    These values are sent as variables to an amfphp service which enters them into a MySQL database.

    I'm aware of the need to prevent MySQL injection, be it accidental or malicious, and had thought it would be a simple case of using some php string functions on the variables before entering them into the database.

    However, if I enter:

    INSERT ";" WHERE id='firstName'

    As the 'firstName' variable, I get the "You have an error in your syntax message".

    I have tried

    htmlspecialchars(theString)
    strip_tags(
    theString)
    htmlentities(
    theString)

    But none of them seem to prevent the database from thinking I am trying to insert a new row.

    If anyone can advise on this matter I'd very much appreciate it.

  2. #2
    Sorted. For anyone else having trouble:

    PHP Code:
        function no_inject($value) {
            
    // Stripslashes
            
    if (get_magic_quotes_gpc()) {
                
    $value stripslashes($value);
            }
            
    // Quote if not integer
            
    if (!is_numeric($value)) {
                
    $value =  mysql_real_escape_string($value);
            }
            return 
    $value;
        } 

  3. #3

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012