Tuesday, July 3, 2012

PHP addslashes to prevent MySQL injection

To prevent MySQL injection, we can use PHP function addslashes.
to add backslashes before characters single quote ('), double quote ("), backslash (\) and NULL
in MySQL database queries. Example:
$_POST['password'] = trim($_POST['password']); 
$_POST['password'] = addslashes($_POST['password']); 
Here we first use  PHP trim function  to strip whitespace from the beginning and end of a string by default. It can also strip other characters by specification at the second variable.

A better function is mysqli_real_escape_string in PHP 5.  In the older version of PHP, mysql_real_escape_string is used.

No comments:

Post a Comment