letters, numbers and two ==

mysql_query("insert into table1(column1) values (''$queryString");

I am getting values from php $queryString
which only has letters and numbers and two == (at the end)

5445==
t3A2==
545Y==
 

what code do I need to add  to make $querySafe so no injection
and do not want to use pdo
LVL 1
rgb192Asked:
Who is Participating?
 
gr8gonzoConsultantCommented:
// Remove any characters/data that aren't letters, numbers or equals signs
$queryString = preg_replace("/[^a-zA-Z0-9\=]/","",$queryString);

// Insert sanitized data
mysql_query("insert into table1(column1) values (''$queryString");
0
 
lwadwellCommented:
Use mysql_real_escape_string to adds escapes into values so that they cannot alter the SQL statement and helps avoid injection.
see http://php.net/manual/en/function.mysql-real-escape-string.php

If there are values that you want removed from the string ... by all means use a preg_replace to remove them.
0
 
Ray PaseurCommented:
This statement will most likely produce a parse error:
mysql_query("insert into table1(column1) values (''$queryString");

Open in new window


I would write it like this when I am still testing...
$sql = "insert into table1(column1) values ('$queryString')";
$res = mysql_query($sql);
if (!$res) die("FAIL: $sql <br/>" . mysql_error());

Open in new window


Just curious, since MySQLi and PDO are recommended by PHP.net, why do you not want to use them?  See the large red warning box here:
http://php.net/manual/en/function.mysql-error.php
0
 
rgb192Author Commented:
not really a mysql_escape string answer
so I think the best solution (for me at this moment) is the replace
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.