Reputation: 5442
How to block SQL injection for this query?
now i have this form post script
<?
if(isset($_POST['baslik'])) {
$sql = "INSERT INTO yazilar (baslik, spot, spot_kisa, spot_resim, spot_resim_isim, icerik, kategori, tiklanma, eklemetarihi)
VALUES
('$_POST[baslik]','$_POST[spot]','$_POST[spot_kisa]','$_POST[spot_resim]','$_POST[spot_resim_isim]','$_POST[icerik]','$_POST[kategori]','$_POST[tiklanma]','$_POST[tarih]')";
$sonuc = mysql_query($sql) or die(mysql_error());
if ($sonuc) {
echo ("<p class='msg done'>Yeni icerik basarili bir sekilde eklendi.</p>");
exit;
}
else {
$error = "<p class='msg warning'>Ekleme basarisiz oldu.</p>";
}
}
?>
how can i ignore sql injections for this query?
Upvotes: 0
Views: 1230
Answers (2)
Reputation: 36320
Using parametrised queries as jammycackes suggests is the way to go, but if you for some reason cannot use them then you can use the mysql-real-escape-string function to block most (all?) dangerous values. The problem is that you must use it on every received value, so you cannot use the shorthand notion you use in your example.
Upvotes: 1
Reputation: 5866
Use parametrised queries. Unfortunately these are not supported by the mysql extension in PHP 4, but if you are using PHP 5, you can use the mysqli extension or PDO instead, where they are.
See http://www.php.net/manual/en/mysqli.prepare.php for an example of how this is done.
Upvotes: 8
Related Questions
- How can I prevent SQL injection in PHP?
- Is there a better way to combat SQL Injection?
- anti sql-injection in magento
- SQL Injection: trying to avoid it but got an error
- How to prevent SQL Injection in Wordpress?
- What is the best practice to prevent SQL injection here?
- How to protect this SQL in a PHP from SQL Injection?
- Prevent SQL Injection in SELECT statement
- How to protect this code from sql injection?
- what is the best way to prevent sql injection in mysql