Drupal SQL Injection Prevention and Apostrophe Processing in Forms

Question

Drupal SQL Injection Prevention and Apostrophe Processing in Forms

in typical PHP applications, I used mysql_real_escape_string before I introduced SQL inserts. However, I cannot do this in Drupal, so I would need help. And without any function like this, user input with apostrophes violates my code.

Please offer.

thanks

My SQL is as follows:

$ sql = "INSERT INTO some_table (field1, field2) VALUES ('$ field1', '$ field2')";

db_query ($ SQL);

+4

drupal drupal-6 drupal-fapi

jini Jun 18 '10 at 3:40

source share

1 answer

Kevin · Accepted Answer · 2010-06-18T03:54:28+0000

Wrap the table with {}.

Also, use the correct placeholder syntax to insert, for example,% d for numbers,% s for strings.

Here is the API function page:

http://api.drupal.org/api/function/db_query/6

Note that he has arguments.

Example:

db_query('INSERT INTO {tablename} (field1, field2) VALUES ("%s", "%s")', $field1, $field2);

Drupal SQL Injection Prevention and Apostrophe Processing in Forms

More articles: