filtering MYSQL database input in PHP does not work
I am trying to make a PHP form where the user inputs a text string, and then it is stored in MYSQL db
1.php Code:
<form action="2.php" method="post"> Code:
<?php echo filter_var ($_POST["txt_name"], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH) ; ?> Both web pages are UTF 8. I want the db to accept any foreign language characters too, as long as they are database-safe With FILTER_FLAG_STRIP_HIGH , foreign language characters are removed but injection attempts are not : input Code:
≠≠");DROP SCHEMA Code:
");DROP SCHEMA With FILTER_FLAG_STRIP_LOW , no filtering happens at all : output Code:
≠≠");DROP SCHEMA How to do it right ? |
Hi
You could use FILTER_SANITIZE_MAGIC_QUOTES instead, which just does the same as addslashes. It is safe as long as long as the encoding of the database connection is UTF-8, but not always with other encodings. The only 100% safe method is to either use mysqli with prepared statements, or use mysqli_real_escape_string because the escaping needs to know which encoding it is dealing with. |
All times are GMT -5. The time now is 09:09 AM. |