$name = $_POST['name']; $name = mysql_real_escape_string($name);

Is the above enough to remove any injection or is there anything else that should be done also?

should i remove slashes?

how about get_magic_quotes_gpc ?

thanks Shaz x

See Example#3 A "Best Practice" query at http://us3.php.net/mysql_real_escape_string

See http://us3.php.net/manual/en/securit...-injection.php

See http://www.webmaster-talk.com/php-fo...must-read.html (which has a link to a thread about SQL Injection -- the linked-to thread listed here is a sticky, so it's a good pointer to check those out)

Thanks for that JeremyMiller
i have used all in the examples and seems to be working fine

Is there anyone here that wants to try a MySQL injection on my database as i don't know how? i have it fully backed up and only my profile in it.
i can send the url by pm if you want to try?

thanks

Shaz x

Would anyone be prepared to spend a couple of mins to try sql injection for me?

i can give you the url by pm as long as you don't laugh! lol

Shaz x

Send me the URL I'll check it

Thanks!

its coming now

Shaz x

Same i will have a go

URL on the way but don't laugh!
its my first php site and far far from complete yet lol

it survived NullPointer's attack so hopefully it will yours to lol

Thanks

Shaz x

im crap at sql injection lol did nullpointer try using the encoded chars i know u can use them which gets past the mysql_real_escape func

Quote:

Originally Posted by dansgalaxy

im crap at sql injection lol did nullpointer try using the encoded chars i know u can use them which gets past the mysql_real_escape func

not sure what he used

but to stop injection, i used

mysql_real_escape_string
get_magic_quotes_gpc

and then added some other code to look for certain symbols

hopefully it will be enough lol

i am making the actual profile pages now and just writing the bit for picture upload so i have to watch security on that to now hehe

thanks for trying

Shaz x