How ‘bout a little data filtering before you go inserting user-generated data into that nice database of yours? Here’s a handy function that does just that. No need to test this one; I know it outputs exactly what I expect.
1234567891011121314
<?phpFunctionprepString($string){// Specifically for MSSQL '' instead of \'$badChars=array("'","&",",");$goodChars=array("","&","");if(is_string($string)){$string=str_replace($badChars,$goodChars,$string);$string=stripslashes($string);$string="$string";}return($string);}
Here’s an example of the function in use.
123456789
<?phpforeach($_POSTas$x=>$y){$_POST[$x]=prepString($y);}$query="insert into table (column1, column2, column3, column4) values('".$_POST['input1']."','".$_POST['input2']."', '".$_POST['input3']."', '".$_POST['input4']."')";