Quote:
Originally Posted by Frodo  It escapes nasty charters in you sql statements. It's essential to stop mysql injection attacks.
Your insert code should look like this: PHP Code: $content = $_POST['content'];
$dbcontent = mysql_escape_string($content);
$sql="insert into some_table(msContent) values ('".$dbcontent."')";
$result = mysql_query($sql,$conn) or die("Fail");
|
No need to worry abouy sql injection attacks on the pages in questions, there secure enough already, so if i have something like so it should work?
PHP Code:
<?php
header("Location: ../news/1.htm");
include('../forum/SSI.php');
dbConnect();
global $context;
if($context['user']['is_logged'])
{
$validate_admin = check_admin_userid($context['user']['id']);
$validate = check_sec_admin_userid($context['user']['id'],2);
if(($validate == true) || ($validate_admin == true))
{
$content = mysql_escape_string($_REQUEST['body']);
mysql_query("UPDATE news SET title='".$_GET['title']."', body='".$content."' WHERE id=".$_GET['id']."");
}
}
closeConnect();
?>
Tired this but the stripslashes function is not working when displaying the text now!?