Preventing SQL injection in PHP with MDB2
Question
I'm trying to figure out how to prevent sqlinjection, I wrote this basic function: function
antiInjectie($inputfromform){
$temp = str_replace("'", "`",$inputfromform);
$temp = str_replace("--", "~~",$temp);
return htmlentitites($temp);
}
However someone told me to also take hex values in consideration, but how do I do this?
Update I'm stuck with MDB2 and pgsql
4 answers
solution1
6 ACCPTED 2011-07-17 17:31:17
Bobby-Tables has a good guide to preventing SQL injection.
In short: Don't twiddle with the input yourself, use database API methods that allow bound parameters.
solution2
2 2011-07-17 17:48:59
With MDB2 you can do the same as with PHP's native PDO abstraction that was proposed in related question Best way to stop SQL Injection in PHP . You can either use a prepared statement with prepare and execute or by quoting and inserting the values manually.
solution3
2 2011-07-17 19:57:22
Use pg_query_params() , the most easy function to avoid SQL injection using PHP and PostgreSQL.
solution4
1 2011-07-17 17:33:02
First, don't write any escapting function yourself. They're very likely to be broken and the database library is very likely to contain a proper one. For mysql you can use mysql_real_escape_string .
A much better longterm solution though is not to create your full query as text, but rather use prepared queries and pass the values during execution. For mysql, check the mysqli extension.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.