On 07/08/2010 02:38 PM, David Mehler wrote:
> Hello,
> Got a form that takes in data to enter in to a database. I want to
> make it as secure and as invulnerable to sql injection and other
> attacks as possible. I'm wondering if mysqli_real_escape_string or
> stripslashes should be used or if the former does the latter. For
> example, I have a name variable:

In general this is fine:

> $name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));
> or should I do:

You need to do something like this only if magic_quotes are enabled on
your PHP installation, except you would stripslashes first:

if(get_magic_quotes_gpc()) {
   $_POST['name'] = stripslashes($_POST['name']);
$name = mysqli_real_escape_string($DatabaseLink, trim($_POST['name']));

> $name = stripslashes(mysqli_real_escape_string($dbc, trim($_POST['name'])));
> Thanks.
> Dave.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to