Home/ Questions/Q 1063421
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-16T18:46:55+00:00

this question had been evolving in my mind, how do i totally stop the

  • 0

this question had been evolving in my mind, how do i totally stop the users from entering some crazy SQL injections. isn’t mysql_real_escape_string powerful enough to stop it? i followed some guidelines though there were some users in here who criticized my code and gave me thumbs down for the security. i was unable to understand the reason behind it. though i am not using $_GET, the only user input is through commenting system. i just want to make sure i am not going wrong. here is my sample code. 

$name = htmlspecialchars(strip_tags(mysql_real_escape_string($_POST['com_name'])));

I have used the same for some 5 fields. what is your take on my above code?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The idea is not to stop the users from entering it, but to make sure you enter them in the database query safely. This means using mysql_real_escape_string or using parameterized queries with mysqli:

    /* Prepare an insert statement */
$query = "INSERT INTO myCity (Name, CountryCode, District) VALUES (?,?,?)";
$stmt = mysqli_prepare($link, $query);

mysqli_stmt_bind_param($stmt, "sss", $val1, $val2, $val3);

    You also need to make sure your properly html encode fields you read from the database, to avoid that the user is able to inject html (and also javascript)

    • 0