i have implemented a way to avoid sql injection from the php website from this url http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page following are the steps i have followed after the form values are submitted to a php file. step 1. if(get_magic_quotes_gpc()) { $username = stripslashes($_POST["username"]); ......... } else { $username = $_POST["username"]; ......... } step 2. $conn = mysql_connect($hostname, $user, $password); step 3. $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), ...); step 4. if(!$conn) { header("Location: http://website/dberror.html"); exit; } else { mysql_select_db($database, $conn); $insertqueryresult = mysql_query($insertquery); if(!$insertqueryresult) { header("Location: http://website/error.html"); exit; } } with the above method i am able to insert values into the table even with if i enter the ' special character which can cause problems. i have also used a simple sql insert query like $insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)"; when i used this simple insert query and if i entered ' in the form and submitted the form the php file is unable to process the information entered because of the ' character and as per the code error.html file is being displayed where as if i use $insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn), ...); even if i enter any number of ' characters in more than 1 form field data is being inserted into the table a) so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though there are several ways to avoid sql injection. b) for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as abc'''def based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with ' characters along with the data example as i mentioned = abc'''def please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly and at which step. any help will be greatly appreciated. thanks.
Congratulations with your first db aware PHP code. Do you plan to keep us in touch and publish all code you written here? P.S. Key function here is mysql_real_escape_string, not sprintf