|
-
Oct 6th, 2009, 08:52 AM
#8
Re: Text Box Help
it's evident with the code you posted that the server you're using has magic_quotes_gpc on (otherwise, no, the code you posted would not run if you had a single quote in either of those fields). like mentioned earlier, this is a deprecated feature and isn't something you should be [implicitly] supporting. you should use a recursive function that strips those slashes from the super globals, and then prepare them for the database (via the mysql_real_escape_string() function or a prepared statement using mysqli or pdo) yourself later on.
whichever way you decide to prepare the statements, you should try to avoid making posts that do not emphasise how easy it is to build a website that can be vulnerable to SQL injection.
oh, and as always, try not be echoing HTML! PHP is an embedded language (meaning it should be embedded within HTML, and not used to output HTML), and thus, should be treated as though it is one.
I feel so anal-retentive.
Last edited by kows; Oct 6th, 2009 at 08:57 AM.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote