Home/ Questions/Q 955049
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T00:18:58+00:00

I have the following code that adds a record to my MySQL database via

  • 0

I have the following code that adds a record to my MySQL database via PHP:
Contact is just a plain string.

$contact = mysql_real_escape_string(stripslashes($_POST["contact"]), $con); 
$sql="INSERT INTO custom_downloads (contact) VALUES ('$contact')";

Is this good enough to prevent any sort of SQL injection attacks? What else can I do to cleanse the data?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    bluebit, your code is secure with regard that you’re protecting against SQL Injection but you’re not secure against things like XSS (Cross Site Scripting). This is the ability to pass Javascript into this field and then when you output it, you’re outputting the Javascript.

    To avoid this you can run your input through strip_tags() http://www.php.net/strip_tags this will remove all HTML tags from your input, thus getting rid of

    Here is a nice function that you can reuse for all inputs you’re receiveing from $_POST and wish to secure

    $cleanInput = cleanPost($_POST['contact']);

function cleanPost($item) {
    return mysql_real_escape_string(strip_tags(stripslashes($item)));
}

    There is also a built-in function in PHP for handling input types called filter_var() This allows you to specify wether you want to remove HTML and such, just like strip_tags()

    Hopet this you realise you need to protect against SQL Injection and XSS.

    • 0