Menu
Community /Pin to ProfileBookmark
@NogDogMar 23.2006 — #Spaces are not normally a security issue, to the best of my knowledge. Usually it's quotes and possibly back-slashes. The way I normally clean up user input before use in a query is:
If using a database system other than MySQL, you'll probably need to replace mysql_real_escape_string() with addslashes():
Product Search Security
I’m developing an e-commerce site, and thus far I have been able to add security against SQL injections by either removing spaces when getting information from the user, or replacing spaces with underscores when they are necessary (Like for addresses). But for the product search I am unable to do this without causing the query to fail. It is working fine right now but it takes the users query as is, so there is 0 security.
If anyone has some ideas for this or some experience please offer some advice.
Sign in
to post a comment1 Comments(s) ↴
0
@NogDogMar 23.2006 — #Spaces are not normally a security issue, to the best of my knowledge. Usually it's quotes and possibly back-slashes. The way I normally clean up user input before use in a query is:[code=php]
function sanitize($text)
{
if(get_magic_quotes_gpc())
{
$text = stripslashes($text);
}
$text = mysql_real_escape_string($text);
return($text)
}
// USAGE:
$search = sanitize($_POST['search']);
[/code]If using a database system other than MySQL, you'll probably need to replace mysql_real_escape_string() with addslashes():
[code=php]
function sanitize($text)
{
if(!get_magic_quotes_gpc())
{
$text = addslashes($text);
}
return($text);
}
[/code]