Posted by Peter van Schie on 07/14/06 19:27

Mike schreef:
> I have read through lots of messages about database injection but I'm
> still a bit confused.
>
> I have a website where users input data either for searching or storing
> on a database such as logging in or storing personal data in the
> database.
>
> I'm confused what commands to use to make sure commands such as DROP
> etc are not entered.
>
> I've seen stripslashes(), addslashes(), striptags() etc. What should
> be used?

Take a look at mysql_real_escape_string. It's also a good idea to setup
a mysql useraccount for all queries from the users. Simply don't allow
that account to execute DROP queries and only allow it to execute
queries you really need.

HTH.
Peter.
--
http://www.phpforums.nl

• Next in forum: Re: "call to undefined function" mysql_error when adding new rows to table
• Prev in forum: database injection
• Thread view: Re: database injection

[Reply to this message]