All about PHP/MySQL

Wednesday, February 27, 2008

function for SQL Injection Protection

If you are using the web forms on your website to collect some user based data to put into a database then this function is right there for you to avoid any SQL injection injected by an experienced hacker. Without going into the details of hacking stuff i am putting the function here to enhance the site's security:

function quote_smart($value)
{
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

if (!is_numeric($value))
{
$value = "" . mysql_real_escape_string($value) . "";
}
return $value;
}

Simply scan the posted data before inserting it into database table. For example:

$form_field_value = quote_smart($_POST['form_field_name']);

This would help a lot am sure.

Happy coding :-)

1 Comments:

  • $value = "" . mysql_real_escape_string($value) . "";
    It is ok though but i think this can also serve the purpose
    $value = mysql_real_escape_string($value);

    By Blogger siddique, At August 24, 2009 at 11:18 PM  

Post a Comment

Subscribe to Post Comments [Atom]



Links to this post:

Create a Link

<< Home