SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Aug 2002
    Posts
    45
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Little help with forms

    Hi I was doing searching and I came across some code on here and I decided to put it in the form I had already. Since one of my forms seemed to be getting attacked SQL Injections.

    PHP Code:
    <?
    $connection = mysql_connect($host, $user, $pass);
    mysql_select_db($db);
    function quote_smart($value) 

    // Stripslashes 
    if (get_magic_quotes_gpc()) { 
         $value = stripslashes($value); 

    // Quote if not integer 
    if (!is_numeric($value)) { 
         $value = mysql_real_escape_string($value); 

    return $value; 

    function filter($text) { 
    $replace=array('****'=>'****','****'=>'****','pussy'=>'*****','*****'=>'*****','sex'=>'***'); 
    foreach($replace as $old=>$new) $text = str_replace($old,$new,$text); 
    return $text ; 

    if(isset($_POST['submit'])) { 
    $result = mysql_query("select max(`time`), max(`banned`) from `comments` where `ip` = '".$_SERVER['REMOTE_ADDR']."'"); 
    $result = mysql_fetch_array($result); 
    $name = quote_smart(filter(strtolower($_POST['name']))); 
    $message = quote_smart(filter(strtolower($_POST['message'])));
    if (((time() - $result[0]) > 20) && ($result[1]!=1)) 
    mysql_query("insert into comments(`name`,`time`,`message`,`ip`, `yesno`) 
    values('$name','".time()."','$message','".$_SERVER['REMOTE_ADDR']."','no')"); 
    else echo "<div>Slow down!</div>";
    $result = mysql_query($query);
    echo "<div>Thank You For The Comment Waiting For Approval</div>"; 
    }
    I thought the quote_smart was to remove slashes unless I am not using it right. Because I was able to add html to the message.

    Maybe I am miss understanding what quote_smart actually does. Also magic_quotes_gpc is turned on by the Web Hosting company

    Hope someone can help me out thanks!

  2. #2
    SitePoint Wizard silver trophy
    Join Date
    Mar 2006
    Posts
    6,132
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    quote_smart just prepares the data to be safely inserted into an sql query.

    html does not harm an sql query. if you want to prevent html from rendering then use htmlspecialchars()


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •