At the end of a Flash game I’m developing I have a submission form which submits the players score, as well as user entered values for first name, last name, email address etc.
These values are sent as variables to an amfphp service which enters them into a MySQL database.
I’m aware of the need to prevent MySQL injection, be it accidental or malicious, and had thought it would be a simple case of using some php string functions on the variables before entering them into the database.
However, if I enter:
[COLOR=Red]INSERT “;” WHERE id=‘firstName’
[COLOR=Black]As the ‘firstName’ variable, I get the “You have an error in your syntax message”.
I have tried
[COLOR=Blue]htmlspecialchars(theString)
strip_tags([/COLOR][/COLOR][/COLOR][COLOR=Red][COLOR=Black][COLOR=Blue]theString[/COLOR][/COLOR][/COLOR][COLOR=Red][COLOR=Black][COLOR=Blue])
htmlentities([/COLOR][/COLOR][/COLOR][COLOR=Red][COLOR=Black][COLOR=Blue]theString[/COLOR][/COLOR][/COLOR][COLOR=Red][COLOR=Black][COLOR=Blue])
[COLOR=Black]But none of them seem to prevent the database from thinking I am trying to insert a new row.
If anyone can advise on this matter I’d very much appreciate it.
[/COLOR][/COLOR][/COLOR][/COLOR][COLOR=Red][COLOR=Black][/COLOR][/COLOR]
