Home/ Questions/Q 546035
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T10:49:28+00:00

now i have this form post script <? if(isset($_POST[‘baslik’])) { $sql = INSERT INTO

  • 0

now i have this form post script

  <?
   if(isset($_POST['baslik'])) {
$sql = "INSERT INTO yazilar (baslik, spot, spot_kisa, spot_resim, spot_resim_isim, icerik, kategori, tiklanma, eklemetarihi)
VALUES
('$_POST[baslik]','$_POST[spot]','$_POST[spot_kisa]','$_POST[spot_resim]','$_POST[spot_resim_isim]','$_POST[icerik]','$_POST[kategori]','$_POST[tiklanma]','$_POST[tarih]')";
$sonuc = mysql_query($sql) or die(mysql_error());
  if ($sonuc) {
    echo ("<p class='msg done'>Yeni icerik basarili bir sekilde eklendi.</p>");
    exit;
  } 
  else {
    $error = "<p class='msg warning'>Ekleme basarisiz oldu.</p>";  
  }
}
         ?>

how can i ignore sql injections for this query?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Using parametrised queries as jammycackes suggests is the way to go, but if you for some reason cannot use them then you can use the mysql-real-escape-string function to block most (all?) dangerous values. The problem is that you must use it on every received value, so you cannot use the shorthand notion you use in your example.

    • 0