-2

Possible Duplicate:
Best way to prevent SQL injection in PHP?

I've made a PHP script ectracting xml values and inserting them into a SQL DB.

However these strings have all kind of signs, backslash, %, *, ', etc. And usally i end up with an error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL        server version for the right syntax to use near 's demanding business environment. 
Product Lin' at line 2

I have tried a few things like "stripslashes" etc. Bu i cant seems to find the commaned to "protect" the variable for interfering with my SQL.

Any ideas ?

Community
  • 1
  • 1
Ulrik Vadstrup
  • 49
  • 1
  • 9
  • You have to use PDO. Not only will it solve your issues but it will make your script much more secure from injection attacks. http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/ PDO documentation : http://php.net/manual/en/book.pdo.php – Jack Brown Oct 07 '12 at 10:22

2 Answers2

2

If you're using the PHP mysql module, then

 $escaped_string = mysql_real_escape_string($your_variable);

should do the trick.

Ref: http://www.php.net/manual/en/function.mysql-real-escape-string.php

(If you're using PDO or MySQLi, the relevant links are there too)

sleepy_keita
  • 1,488
  • 4
  • 17
  • 26
1

If you are using old mysql_query() system you should use mysql_real_escape_string() before inserting a string into your SQL for escaping string. Like this :

$myStringEscaped = mysql_real_escape_string($myString);
Ifnot
  • 4,914
  • 4
  • 33
  • 47
  • I'm not sure why people are voting down. Would be nice if they left a message....I guess this forum is for helping each other ?. Thanks for the help all :-) – Ulrik Vadstrup Oct 07 '12 at 13:51