SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2002
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Little help with forms

    Hi I was doing searching and I came across some code on here and I decided to put it in the form I had already. Since one of my forms seemed to be getting attacked SQL Injections.

    PHP Code:
    <?
    $connection 
    mysql_connect($host$user$pass);
    mysql_select_db($db);
    function 
    quote_smart($value

    // Stripslashes 
    if (get_magic_quotes_gpc()) { 
         
    $value stripslashes($value); 

    // Quote if not integer 
    if (!is_numeric($value)) { 
         
    $value mysql_real_escape_string($value); 

    return 
    $value

    function 
    filter($text) { 
    $replace=array('****'=>'****','****'=>'****','pussy'=>'*****','*****'=>'*****','sex'=>'***'); 
    foreach(
    $replace as $old=>$new$text str_replace($old,$new,$text); 
    return 
    $text 

    if(isset(
    $_POST['submit'])) { 
    $result mysql_query("select max(`time`), max(`banned`) from `comments` where `ip` = '".$_SERVER['REMOTE_ADDR']."'"); 
    $result mysql_fetch_array($result); 
    $name quote_smart(filter(strtolower($_POST['name']))); 
    $message quote_smart(filter(strtolower($_POST['message'])));
    if (((
    time() - $result[0]) > 20) && ($result[1]!=1)) 
    mysql_query("insert into comments(`name`,`time`,`message`,`ip`, `yesno`) 
    values('
    $name','".time()."','$message','".$_SERVER['REMOTE_ADDR']."','no')"); 
    else echo 
    "<div>Slow down!</div>";
    $result mysql_query($query);
    echo 
    "<div>Thank You For The Comment Waiting For Approval</div>"
    }
    I thought the quote_smart was to remove slashes unless I am not using it right. Because I was able to add html to the message.

    Maybe I am miss understanding what quote_smart actually does. Also magic_quotes_gpc is turned on by the Web Hosting company

    Hope someone can help me out thanks!

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    quote_smart just prepares the data to be safely inserted into an sql query.

    html does not harm an sql query. if you want to prevent html from rendering then use htmlspecialchars()


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •