SQL Sanitize

Page 1 of 1

2 Replies - 357 Views - Last Post: 07 April 2009 - 05:30 PM

#1 sandman85048  Icon User is offline

  • New D.I.C Head
  • member icon

Reputation: 0
  • View blog
  • Posts: 34
  • Joined: 20-October 07

SQL Sanitize

Posted 11 November 2007 - 07:35 AM

Description: "Sanitize" a string of SQL code to prevent SQL injection.
/*
Function: sql_sanitize( $sCode )
Description: "Sanitize" a string of SQL code to prevent SQL injection.
Parameters: $sCode: The SQL code which you wish to sanitize.
Example: mysql_query('UPDATE table SET value="' . sql_sanitize("' SET id='4'") . '" WHERE id="1"');
Requirements: PHP version 4 or greater
*/
function sql_sanitize( $sCode ) {
	if ( function_exists( "mysql_real_escape_string" ) ) { // If PHP version > 4.3.0
		$sCode = mysql_real_escape_string( $sCode ); // Escape the MySQL string.
	} else { // If PHP version < 4.3.0
		$sCode = addslashes( $sCode ); // Precede sensitive characters with a slash 
	}
	return $sCode; // Return the sanitized code
}


Is This A Good Question/Topic? 0
  • +

Replies To: SQL Sanitize

#2 capoenkz  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 30-January 09

Re: SQL Sanitize

Posted 30 January 2009 - 06:26 AM

how to use it??? i'm new here.... thx
Was This Post Helpful? 0
  • +
  • -

#3 huzi8t9  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 25
  • View blog
  • Posts: 367
  • Joined: 11-July 07

Re: SQL Sanitize

Posted 07 April 2009 - 05:30 PM

$code = '<script language="javascript">
            body.onload = top.location = "http://www.google.co.uk"
          </script>';
//^^Code submitted by a bad user
$new_code = sql_sanitize($code);
//insert your code to the database.
mysql_query("INSERT INTO table (comment) VALUES('$new_code');");



Hope this helps. Also, I hope it's right :)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1