Sunday, May 20, 2018

mysql - SQL Injection in my php code





Possible Duplicate:
How to prevent SQL injection in PHP?






I want to know if my code has hacks like SQLI




function insertRow($table,$fields,$values)
    {
        if(count($fields) != count($values))
        {
            echo "fields and values must be the same count";
            return null;
        }
        $query = "INSERT INTO ".$table." SET ";
        foreach($fields as $key => $field)
        {

            $query = $query. "" . $field . " = '" . htmlspecialchars($values[$key], ENT_QUOTES) . "', ";
        }
        $query = substr($query,0,-2);

        if (!mysql_query($query, $this->con))
        {
            echo "Error : " . mysql_error($this->con)."
";
            return false;
        }
        return true;

    }


I use htmlspecialchars and I want to know if it is ok



Edit :



$fields = array("a","b","c");
$values = array($_POST["a"],$_POST["b"],$_POST["c"]);
$a = $dbc->insertRow("tbl_synagoge",$fields,$values);


Answer



Instead of htmlspecialchars() use mysql_real_escape_string().



This will make your code more secure.



However you might want to retire all your mysql_* functions as they are deprecated. You can get started right here: MySQLi


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

plot explanation - Why did Peaches' mom hang on the tree? - Movies & TV

In the middle of the movie Ice Age: Continental Drift Peaches' mom asked Peaches to go to sleep. Then, she hung on the tree. This parti...