Good day

I wanted to try to add to the mysql table:

// работает $param = "abc"; $result = mysql_query("INSERT INTO `table` (`field`) VALUES ('".$param."')"); // не работает $param = "`field`='05'"; $result = mysql_query("INSERT INTO `table` (`field`) VALUES ('".$param."')"); 

Began to google, this thing is called sql injection, and it is shown how to protect against it. This is not exactly what I am looking for. The hunt is to add to the necessary database (and then consider it). Tell me how to be?

  • Hmmm ... Did I understand you correctly? That is, you do not want protection against MySQL injection, but how to bypass it? - Deonis
  • I just want to add the following entry to the table cell - frank

3 answers 3

Screening Not at all difficult to use. In general, all data that may somehow be in the database is desirable. Use shielding of superglobal arrays before you load the page. On the Internet, a lot of information on the subtleties of the issue

     $param = "`field`='05'"; $param = mysql_real_escape_string($param); $result = mysql_query("INSERT INTO `table` (`field`) VALUES ('".$param."')"); 

    If I am not mistaken.

    • Yes. so it turned out. acceptance true slapped the first to answer - frank

    See this comment here . It provides an example of working with the database using PDO