Quote:
Originally Posted by drew22299
I want to allow users to enter their location in their profile but I don't want to allow symbols or MySQL queries.
I entered the following: Bristol^&*^
using the following code:
Code:
$location = stripslashes($_POST['location']);
$location = serialize($location);
And the output stored in the database was:
s:11:"Bristol^&*^";
Your explanations are good but I still don't know how to prevent MySQl injection attacks other than use mysql_real_escape_string() What exactly do I need to stop MySQL code entered by a user executing?
Thanks, |
This seems a little nuts for whats going on here, If you want someone's name without all the extra crap, why not something like this..
Code:
function letters_spaces($string)
{
return ereg_replace("[^[:space:]A-Za-z]", "", $string);
}
$cleanname = letters_spaces($_POST['dirtyname']);
echo $cleanname;
outputs sBristol
Maybe i'm wrong, but that's what I'd try..
|
