joymis Posted December 3, 2016 Share Posted December 3, 2016 Hello,I have a code use for preventive SQL Injection, but the code looks not work, this is my code <?php class Util{ public static function edit_array($array) { array_walk_recursive($array, 'Util::edit_value'); } public static function edit_value(&$value) { $value = trim(htmlspecialchars($value, ENT_QUOTES)); } } Util::edit_array($_POST); print_r($_POST); ?> I print $_POST value and use browser's developer tools confirm, but the value still show single quote not 'I don't know why, please help me.In addition to htmlspecialchars function, I want to know what should I also use to prevent SQL Injection. Thanks. Link to comment Share on other sites More sharing options...
Ingolme Posted December 3, 2016 Share Posted December 3, 2016 The only reliable way to prevent SQL injection is to use prepared statements. Read the tutorial page about it. http://www.w3schools.com/php/php_mysql_prepared_statements.asp Anything else is prone to oversights and mistakes. You shouldn't need to store HTML entities, that's not a protection against SQL injection. The reason your code is not behaving as expected is because a clone of the array is created when it is passed into the function. The original array is unaffected. Look up passing by reference in the PHP manual. Link to comment Share on other sites More sharing options...
joymis Posted December 5, 2016 Author Share Posted December 5, 2016 OK, I will change to use prepared statements to prevent SQL injection thank you for your help. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now