Preventing SQL injection in PHP with MDB2

php postgresql sql-injection mdb2
Lucas Kauffman picture Lucas Kauffman · Jul 17, 2011 · Viewed 9.8k times · Source

I'm trying to figure out how to prevent sqlinjection, I wrote this basic function : function 

antiInjectie($inputfromform){
    $temp = str_replace("'", "`",$inputfromform);
    $temp = str_replace("--", "~~",$temp);
    return htmlentitites($temp);
}

However someone told me to also take hex values in consideration, but how do I do this?

Update I'm stuck with MDB2 and pgsql

Answer

Quentin picture Quentin · Jul 17, 2011

Bobby-Tables has a good guide to preventing SQL injection.

In short: Don't twiddle with the input yourself, use database API methods that allow bound parameters.

Related questions

Cannot simply use PostgreSQL table name ("relation does not exist")

I'm trying to run the following PHP script to do a simple database query: $db_host = "localhost"; $db_name = "showfinder"; $username = "user"; $password = "password"; $dbconn = pg_connect("host=$db_host dbname=$db_name user=$username password=$password") or die('Could …

Read More
Laravel: Error [PDOException]: Could not Find Driver in PostgreSQL

I'm trying to connect with PostgreSQL database through Laravel in order to do a php artisan migrate but doesn't seem to be directed since it's reading the database name of MySQL. Here are the commands from database.php: 'connections' => …

Read More
How do I enable php to work with postgresql?

<?php try { $dbh = new PDO('pgsql:host=localhost;port=5432;dbname=###;user=###;password=##'); echo "PDO connection object created"; } catch(PDOException $e) { echo $e->getMessage(); } ?> I get the error message "Could Not Load Driver"

Read More