[nycphp-talk] Mysql question!
Rahmin Pavlovic
rahmin at insite-out.com
Tue Oct 31 16:48:23 EST 2006
Quoting csnyder <chsnyder at gmail.com>:
> You always need to escape each of the user submitted values in your
> SQL, in order to prevent breakage and security vulnerabilities. The
> mysql_real_escape_string() function is the recommended way to do this.
>
> function dbEsc( $value ) {
> return mysql_real_escape_string( $value );
> }
>
This is also a good spot to check for magic quotes, strip conflicting
line-breaks + whatever else you may need:
function dbEsc( $value ) {
$value = trim( $value );
if( get_magic_quotes_gpc() ) {
$value = stripslashes( $value );
}
$value = str_replace("\n\r", "\n", $value);
$value = str_replace("\r\n", "\n", $value);
return mysql_real_escape_string( $value );
}
More information about the talk
mailing list