Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I just wonder if this line of code is safe to use to avoid SQL injection?
// username and password sent from form
$myusername=$_POST['loginUserName'];
$mypassword=$_POST['loginPassword'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
Do I need to stripslashes?
It’s safer to use prepared statements, so that the (potentially malicious) values are separated from the query string, rather than relying on escaping. Read about PHP Data Objects.
Regarding
stripslashes(), that should only be necessary if you have PHP’smagic_quotes_gpcfeature turned on, which you shouldn’t because it’s deprecated. If you want to be robust, though, doif (get_magic_quotes_gpc()) $myusername = stripslashes($myusername);so that it removes a layer of slashes if and only if one was added.