Preventing SQL Injection Attacks

by Dave on November 2nd, 2007

<?php


if (isset($_POST['product_name']) && isset($_POST['product_description']) && isset($_POST['user_id'])) {

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password');
if(!is_resource($link)) {
echo "Failed to connect to the server\n";

// ... log the error properly
} else {
// Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
if(get_magic_quotes_gpc()) {

$product_name?  ?  ?  ?  = stripslashes($_POST['product_name']);

$product_description = stripslashes($_POST['product_description']);

} else {

$product_name?  ?  ?  ?  = $_POST['product_name'];

$product_description = $_POST['product_description'];

}
// Make a safe query

$query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",

mysql_real_escape_string($product_name, $link),

mysql_real_escape_string($product_description, $link),

$_POST['user_id']);
mysql_query($query, $link);

if (mysql_affected_rows($link) > 0) { echo "Product inserted\n"; } } } else { echo "Fill the form properly\n"; } ?>

From → PHP

No comments yet

You must be logged in to post a comment.

Preventing SQL Injection Attacks

Leave a Reply

Recent Articles

Categories

Archives

About

Categories

Search