I've recently created a PHP registration script for a website that a friend and I are working on. I've read up on the dangers of MySQL injection, and I was wondering if my current code is protected from such attacks, or if additional steps need to be taken.
The relevant part of the code is as follows
$email = $_POST['email'];
$username = $_POST['username'];
$username = strip_tags(trim($username));
$email = strip_tags(trim($email));
//Sanitation code I found somewhere..
function mres($var){
$conn = get_my_db();
if (get_magic_quotes_gpc()){
$var = stripslashes(trim($var));
}
return $conn->real_escape_string(trim($var));
}
//Sanitize username
$sanUsername = mres($username);
//Make SQL query
$sql = "SELECT username FROM accounts WHERE username = '$sanUsername' ";
$result = $conn->query($sql);
Thanks in advance,
Shawn
Aucun commentaire:
Enregistrer un commentaire