LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices


Reply
  Search this Thread
Old 05-30-2011, 08:50 AM   #1
Latios
Member
 
Registered: Dec 2010
Distribution: Arch
Posts: 115

Rep: Reputation: 21
filtering MYSQL database input in PHP does not work


I am trying to make a PHP form where the user inputs a text string, and then it is stored in MYSQL db

1.php
Code:
<form action="2.php" method="post">
Your name: <input type="text" name="txt_name" />
<input type="submit" />
</form>
2.php
Code:
<?php echo filter_var ($_POST["txt_name"], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH) ; ?>
In 2.php instead of the echo i want to send it to the db

Both web pages are UTF 8. I want the db to accept any foreign language characters too, as long as they are database-safe



With FILTER_FLAG_STRIP_HIGH , foreign language characters are removed but injection attempts are not :

input
Code:
≠≠");DROP SCHEMA
output
Code:
");DROP SCHEMA


With FILTER_FLAG_STRIP_LOW , no filtering happens at all :

output
Code:
≠≠");DROP SCHEMA


How to do it right ?
 
Old 05-30-2011, 09:04 AM   #2
Guttorm
Senior Member
 
Registered: Dec 2003
Location: Trondheim, Norway
Distribution: Debian and Ubuntu
Posts: 1,450

Rep: Reputation: 446Reputation: 446Reputation: 446Reputation: 446Reputation: 446
Hi

You could use FILTER_SANITIZE_MAGIC_QUOTES instead, which just does the same as addslashes. It is safe as long as long as the encoding of the database connection is UTF-8, but not always with other encodings. The only 100% safe method is to either use mysqli with prepared statements, or use mysqli_real_escape_string because the escaping needs to know which encoding it is dealing with.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trying to get PHP to connect to a MySQL Database bassplayer69 Programming 16 03-13-2008 09:27 PM
Php search mysql database jamesjoy Programming 4 12-02-2005 07:28 AM
cannot connect to mysql database from php rocordial Linux - Software 2 08-21-2005 02:05 PM
Apache Mysql Php: mysql with php doesn't work breakerfall Linux - Networking 6 12-27-2003 08:59 PM
Current PHP, mySQL project, need some input spectrumver1 Linux - General 0 11-17-2003 10:38 AM

LinuxQuestions.org > Forums > Non-*NIX Forums > Programming

All times are GMT -5. The time now is 09:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration