PHP Unframework
PHP Unframework
PHP Unframework
when i use fRequest::get() to get the value of the form . its giving error when input value in form is like test's (i mean string with single quotes.)
Please post the PHP code you are executing plus the HTML and value that is not returning as you would expect.
HTML CODE <form name="test" action="" > <input type="text" name="uname" /> <input type="submit" name="submit" /> </form>
php code
$uname = fRequest::get('uname'); its give error when uname = xyz'x so i used addslashes(fRequest::get('uname'));
error dispaly only when we use $uname value in mysql query like select FROM tbuser where uname='".$uname."'";
If you are trying to use the value in a SQL statement you should read fDatabase#EscapingDataSecurity.
can i update fRequest::get() and how? please help me . if i use your suggestion then i need to change all my code. so i wanna just add the mysql_add_slashes() , every call of fRequest::get()
Unfortunately addslashes() does not properly protect you from SQL injection. Also, with fDatabase it is not guaranteed what mysql extension you will be running, so you can't rely on being able to use mysql_real_escape_string() or mysqli_real_escape_string().
SQL injection protection needs to happen at the database layer and not the request layer. I am sorry that it will mean you need to rewrite your code, but that is the only way I can ensure you won't experience SQL injection vulnerabilities.
mysql_real_escape_string($postedval) always throw an exception
A link could not be connected with your database.
Like I mentioned, you can't rely on Flourish using the mysql extension, and thus you can't use the mysql-specific function for escaping your data. You really are going to need to use fDatabase::escape() or pass your params to fDatabase::query().