• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 348
  • Last Modified:

letters, numbers and two ==

mysql_query("insert into table1(column1) values (''$queryString");

I am getting values from php $queryString
which only has letters and numbers and two == (at the end)

5445==
t3A2==
545Y==
 

what code do I need to add  to make $querySafe so no injection
and do not want to use pdo
0
rgb192
Asked:
rgb192
3 Solutions
 
gr8gonzoConsultantCommented:
// Remove any characters/data that aren't letters, numbers or equals signs
$queryString = preg_replace("/[^a-zA-Z0-9\=]/","",$queryString);

// Insert sanitized data
mysql_query("insert into table1(column1) values (''$queryString");
0
 
lwadwellCommented:
Use mysql_real_escape_string to adds escapes into values so that they cannot alter the SQL statement and helps avoid injection.
see http://php.net/manual/en/function.mysql-real-escape-string.php

If there are values that you want removed from the string ... by all means use a preg_replace to remove them.
0
 
Ray PaseurCommented:
This statement will most likely produce a parse error:
mysql_query("insert into table1(column1) values (''$queryString");

Open in new window


I would write it like this when I am still testing...
$sql = "insert into table1(column1) values ('$queryString')";
$res = mysql_query($sql);
if (!$res) die("FAIL: $sql <br/>" . mysql_error());

Open in new window


Just curious, since MySQLi and PDO are recommended by PHP.net, why do you not want to use them?  See the large red warning box here:
http://php.net/manual/en/function.mysql-error.php
0
 
rgb192Author Commented:
not really a mysql_escape string answer
so I think the best solution (for me at this moment) is the replace
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now