i have implemented a way to avoid sql injection from the php website from this url
http://in.php.net/mysql_real_escape_string from the "Example #3 A "Best Practice" query" section of this page

following are the steps i have followed after the form values are submitted to a php file.

step 1.

if(get_magic_quotes_gpc())
{
$username = stripslashes($_POST["username"]);
.........
}

else
{
$username = $_POST["username"];
.........
}

step 2.

$conn = mysql_connect($hostname, $user, $password);

step 3.

$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn),

...);

step 4.

if(!$conn)
{
header("Location: http://website/dberror.html");
exit;
}

else
{
mysql_select_db($database, $conn);

$insertqueryresult = mysql_query($insertquery);


if(!$insertqueryresult) {
header("Location: http://website/error.html");
exit; }

}

with the above method i am able to insert values into the table even with if i enter the ' special character which can cause

problems.

i have also used a simple sql insert query like

$insertquery = "INSERT INTO table(username, ...) VALUES ('$username', ...)";

when i used this simple insert query and if i entered ' in the form and submitted the form the php file is unable to process

the information entered because of the ' character and as per the code error.html file is being displayed where as if i use

$insertquery = sprintf("INSERT INTO table (`username`, ...) VALUES ('%s', ...)", mysql_real_escape_string($username, $conn),

...);

even if i enter any number of ' characters in more than 1 form field data is being inserted into the table

a)
so i am thinking that the steps i have taken from the php site is correct and the right way to avoid sql injection though

there are several ways to avoid sql injection.

b)
for example if i enter data in the form as = abc'''def for name, the data in the table for the name field is being written as

abc'''def

based on how i have written the steps to avoid sql injection is this the right way for the data to be stored with '

characters along with the data example as i mentioned = abc'''def

please answer the questions a) and b) if there is something else i need to do please suggest what needs to be done exactly

and at which step.

any help will be greatly appreciated.

thanks.

There are some lengthy discussions on this forum regarding SQL injection and protecting yourself from it. You should do a quick search for "sql injection" and check out those threads which answer your questions.

check out this site on how to do a good prevention from it.

http://www.tizag.com/mysqlTutorial/m...-injection.php

Stored procedures are the right way to avoid SQL Injection attacks. Escaping and the like, you're needlessly complicating your application, and in most cases, you're preventing users from sending input that could be genuinely valuable, like a regular expression string.

It looks like you're reinventing a lot of what any database will give you for free. The easiest way to avoid SQL injection is just to use bind parameters. Do that and you can free up enough time to go after XSS attacks.