The forums have permanently moved to forum.kirupa.com. This forum will be kept around in read-only mode for archival purposes. To learn how to continue using your existing account on the new forums, check out this thread.


Results 1 to 3 of 3

Thread: MySQL Injection

  1. #1

    MySQL Injection

    At the end of a Flash game I'm developing I have a submission form which submits the players score, as well as user entered values for first name, last name, email address etc.

    These values are sent as variables to an amfphp service which enters them into a MySQL database.

    I'm aware of the need to prevent MySQL injection, be it accidental or malicious, and had thought it would be a simple case of using some php string functions on the variables before entering them into the database.

    However, if I enter:

    INSERT ";" WHERE id='firstName'

    As the 'firstName' variable, I get the "You have an error in your syntax message".

    I have tried

    htmlspecialchars(theString)
    strip_tags(
    theString)
    htmlentities(
    theString)

    But none of them seem to prevent the database from thinking I am trying to insert a new row.

    If anyone can advise on this matter I'd very much appreciate it.

  2. #2
    Sorted. For anyone else having trouble:

    PHP Code:
        function no_inject($value) {
            
    // Stripslashes
            
    if (get_magic_quotes_gpc()) {
                
    $value stripslashes($value);
            }
            
    // Quote if not integer
            
    if (!is_numeric($value)) {
                
    $value =  mysql_real_escape_string($value);
            }
            return 
    $value;
        } 

  3. #3

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012