Preventing MYSQL Injection Attacks!

Hewlett-packard / Gj311aa-abu
January 15, 2009 at 09:55:46
Specs: Microsoft Windows Pista, 2.394 GHz / 3070 MB

Im currently working on a small script for my website it is powered by a MYSQL DB and I have come in to one big problem…

I have created a function to stop those pesky MYSQL injection’s but it likes to remove all ‘ from the text that I input.

Only problem is that I can’t use it as punctuation how could I stop it form replacing ‘ with \’

So sentences like

Joe’s blog’s are amazing!!!

Don’t become

Joe\’s blog\’s are amazing!!!

All help is very much appreciated!

See More: Preventing MYSQL Injection Attacks!

Report •

January 15, 2009 at 13:34:04
oh and i forgot to add that im useing mysql_real_escape_string and strip_tags

Report •

January 16, 2009 at 20:19:51
use stripslashes
after reading the data out of the database.

Technically though, you should be using a prepared statement & then you don't need to worry about quoting.

Report •

January 17, 2009 at 01:54:13
I'm guessing your PHP configuraion has Magic Quotes turned on:
When Magic Quotes is turned on any data coming from a form input will automatically have slashes added to the values. Then when mysql_real_escape_string() is used it adds additional slashes on top of that!

User Input: Bob's Store
POST Data: Bob\'s Store
mysql_real_escape_string() output:
Bob\\\'s Store

As Fist states you would want to run strip_slashes on the POST data and then run mysql_real_escape_string() on it. However, if you want your code to be portable - move to any server - you need to code such that it will work whether magic quotes are on or off.

Instead of using mysql_real_escape_string() directly, you can create a custom function that will work no matter the environment.

function dbSafe($string)
  if (get_magic_quotes_gpc())
    $string = stripslashes($string);
  return mysql_real_escape_string($string);

Michael J

Report •

Related Solutions

Ask Question