Linked Questions

Ask Question
31 questions linked to/from PHP: Is mysql_real_escape_string sufficient for cleaning user input?
Hot Newest Score Active Unanswered
1287 votes
17 answers
707k views

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?
Brent's user avatar
  • 23.7k
795 votes
4 answers
326k views

Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(...
Richard Knop's user avatar
  • 84.2k
18 votes
4 answers
3k views

Is the following good enough to avoid a SQL injection? mysql_real_escape_string(htmlentities (urlencode($_POST['postmessage'])));
user342391's user avatar
  • 7,867
6 votes
8 answers
8k views

I use CodeIgniter, and having trouble with hacking. Is it possible to make SQL Injection to the login code below: function process_login() { $username = mysql_real_escape_string($this->...
designer-trying-coding's user avatar
  • 6,104
6 votes
6 answers
6k views

The think is that i have a complete working website with many calls to the MySQL server and doing some research on this site i saw that making my querys in this form: $query = sprintf("SELECT * FROM ...
DomingoSL's user avatar
  • 15.6k
4 votes
5 answers
21k views

I am currently using below function to sanitize my $_POST and $_GET against SQL injection. Unfortunately, I cannot post code through it, for example: "<a href test". How does Twitter do it? ...
mahen23's user avatar
  • 737
8 votes
3 answers
13k views

Should I use mysqli_real_escape_string or should I use prepared statements? I've seen a tutorial now explaining prepared statements but I've seen them do the same thing as mysqli_real_escape_string ...
Ali's user avatar
  • 3,436
5 votes
5 answers
9k views

I'm using mysqli prepared statements. Should I still sanitise the user input with some function like: function sanitise($string){ $string = strip_tags($string); // Remove HTML $string = ...
Jay's user avatar
  • 11.2k
0 votes
5 answers
15k views

I was using php 5.2 earlier. Now I want to upgrade php 5.4. Magic quotes are removed now. I want to make my application work properly. Which function I should use for escaping data ...
Tanu Gupta's user avatar
  • 612
0 votes
3 answers
5k views

I've been sanitising my inputs using mysql_real_escape_string amongst other functions and have recently read that Prepared Statements are the only way to be truly secure. However I am reluctant to use ...
user991987's user avatar
  • 213
1 vote
5 answers
1k views

I am writing lots of info from an XML file into a database. Everything works fine until I come across a field with the ' in the description -- that insertion fails with an error: Error 1064:You have ...
kitenski's user avatar
  • 639
1 vote
2 answers
4k views

I have a cms that I am working on for a client, he wants to add a code textbox so he can paste special code for pages on a page by page basis. So, I need to be able to give the user a way to input ...
John's user avatar
  • 351
1 vote
1 answer
3k views

I need to make a SQL update statement in php, and my column name need to be a variable. I get these variables from jQuery ajax post method and i have them in PHP : $variable = $_POST['variable']; $...
user3316619's user avatar
  • 27
1 vote
4 answers
3k views

I was told to use bind parameters so that I could insert text into my db that had quotes in it. But, I am pretty confused when it comes to how to do this, the commands seem confusing to me. So, if I ...
Nic Hubbard's user avatar
  • 42.3k
0 votes
1 answer
2k views

Tried to make a simple click counter, doesnt work. Whats wrong with my trash code? addLike.php <?php $requestLikes = "SELECT Likes FROM test1"; $Likes = mysql_query($requestLikes); $...
Jaypaque's user avatar
  • 69

15 30 50 per page
1
2 3