Hello folks.
First of all, thanks for making this board a fantastic resource. It's been invaluable to me as I've been learning PHP.
OK, so I'm about to launch my first app and I'm concerned about people writing things into my MySQL database that they shouldn't be able to. I've read about "stripping", "slashing", "escaping" and "trimming" but I'm still not certain which of them I should be using, or if they're all different names for the same thing...
This is the code I'm using to make the variables safe before the MySQL query:
// Database connection here
mysql_connect($host, $user, $pass) or die('Connection died!');
// Get name from form
$name = $_POST["name"];
echo "Original version: ";
echo $name;
// Strip slashes
$name = stripslashes($name);
// Enclose in single quotes if it isn't a number
if (!is_numeric($name)) {
$name = "'" . mysql_real_escape_string($name) . "'";
}
echo "<br /> Safe version: ";
echo $name;
But I'm getting some strange results. For starters, even the untouched, original, $name seems to have "\"s inserted into it.
For example, if I input a string such as T'om \n into a form and submit it to the code above, I get:
Original version: T\'om \n
Safe version: 'T\'om \n'
What do I need to do in order to protect my database? Also, is there an easy way to remove the quotes when I want to display the db results at a later date? PHP is 4.3.4 if that helps.
Thanks in advance, Tom
