1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

is this code ok?

Discussion in 'PHP' started by baris22, Dec 28, 2008.

  1. #1
    hello,

    I am trying to secure my database. is the way i did ok or is there a better way to do?
    SEMrush
    Thanks

    
    
    $description = addslashes($description);
    $description = htmlspecialchars($description);  
    $description = stripslashes($description); 
    $description = mysql_real_escape_string($description);
    
    
    PHP:
     
    baris22, Dec 28, 2008 IP
    SEMrush
  2. Danltn

    Danltn Well-Known Member

    Messages:
    679
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    120
    #2
    You're adding slashes, then taking them away again? Why? But yes, remove the addslashes line and that should be good enough for raw SQL hacks. It's better to sanitize individual data though according to what it should be. (i.e. for numbers, remove anything that isn't a number, possibly through intval - etc.)

    Dan
     
    Danltn, Dec 28, 2008 IP
  3. baris22

    baris22 Active Member

    Messages:
    543
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    60
    #3
    How is this one?

    
    
    function prepare_for_mysql($value){
    	return htmlspecialchars(magicSlashes(trim($value)));
    }
    
    
    function mysql_prep($value){ 
        $magic_quotes_active = get_magic_quotes_gpc(); 
        $new_enough_php = function_exists("mysql_real_escape_string"); 
        // i.e PHP >= v4.3.0 
        if($new_enough_php){ 
        //undo any magic quote effects so mysql_real_escape_string can do the work 
        if($magic_quotes_active){ 
            $value = stripslashes($value); 
        } 
        $value = mysql_real_escape_string($value); 
        }else{ // before PHP v4.3.0 
            // if magic quotes aren't already on this add slashes manually 
            if(!$magic_quotes_active){ 
                $value = addslashes($value); 
            } //if magic quotes are avtive, then the slashes already exist 
        } 
        return $value; 
    } 
    
    
    PHP:
     
    baris22, Dec 28, 2008 IP