Thread: Blocking unless the server wants it
View Single Post
  #6 (permalink)  
Old 06-25-09, 02:07 PM
=OTS=G-Man =OTS=G-Man is offline
Newbie Coder
  
Join Date: Jun 2009
Posts: 55
Thanks: 0
Thanked 0 Times in 0 Posts
Quote:
Originally Posted by smithygotlost View Post
excellent star as always nico

now whats the best way to stop sql injects ??

ive tried things like

Code:
$profile_text = preg_replace('/\'\'/', '\'', $profile_text);
if ($_POST["text"] != ""){
	$new_profile_text = mysql_real_escape_string($_POST["text"]);
ect what else can i use ??

Thanks
Mike
That should be good enough, but depending on what your escaping, you can just limit the characters allowed, for example, for the username on my site, i only allows [a-zA-Z0-9] so that stopped any possible use of special chars in the username field
Reply With Quote