php - Is there any way to SQL inject in my code? -
this question has answer here:
i'm not familiar sql injection , wanna know if there invulnerability in script, if there please point out , give me tip fix it.
<?php include("config.php"); ?> <?php $desc = $_post['desc']; $desc = mysql_real_escape_string($desc); $author = $_post['author']; $date = date("d/m/y"); mysql_query("insert `changelog`(`author`, `date`, `description`) values ('{$author}','{$date}','$desc')") or die(mysql_error()); include("success.php"); ?>
yes there is. solely relying on mysql_real_escape_string
has been deprecated. furthermore should build of own logic tests based on range of input expecting. might want use regexp or other trimming functions don't rely on mysql_real_escape_string
.
Comments
Post a Comment