Is this PHP line sufficient to prevent the implementation of MySQL?

Question

Is this PHP line sufficient to prevent the implementation of MySQL?

I have the following code that adds an entry to my MySQL database via PHP: Contacts is a simple line.

$contact = mysql_real_escape_string(stripslashes($_POST["contact"]), $con); 
$sql="INSERT INTO custom_downloads (contact) VALUES ('$contact')";

How much is enough to prevent any SQL injection attack? What else can be done to clear the data?

+3

php mysql

bluebit Jul 29 '10 at 9:39

source share

4 answers

, mysql_real_escape_string , SQL-.

+4

Mark Byers 29 . '10 9:40

, contact - "", . , - .

. . , , , .

+3

Anton Gogolev 29 . '10 9:42

javascript; javascript, -, .

, htmlentities.

+1

Guillaume Lebourgeois 29 . '10 9:41

Paul Dragoonis · Accepted Answer · 2010-07-29T10:01:34+0000

bluebit, your code is protected given that you are protecting against SQL Injection, but you are not protected from things like XSS (Cross Site Scripting). This is the ability to pass Javascript to this field, and then when you output it, you output Javascript.

, strip_tags() www.php.net/strip_tags, HTML ,

, , $_POST,

$cleanInput = cleanPost($_POST['contact']);

function cleanPost($item) {
    return mysql_real_escape_string(strip_tags(stripslashes($item)));
}

PHP filter_var(). , HTML .., strip_tags()

Hopet this , SQL Injection XSS.

Is this PHP line sufficient to prevent the implementation of MySQL?

More articles: