I'm trying to escape invalid characters on php. While also trying the php class called ezsql. Here's my code:
<?php
include_once('ez_sql_core.php');
include_once('ez_sql_mysql.php');
$db = new ezSQL_mysql('root','pword','db','localhost');
$uname=$db->escape($_GET['uname']);
$pword=$db->escape($_GET['pword']);
$db->query("INSERT INTO users(Uname, Hpword) VALUES('$uname','$pword')");
?>
How do I avoid producing a url like this. And not mess up the whole query. http://localhost/folder/file.php?uname=uzer's^&*%#&pword=dd'$#$%#'s
Normally, you would use mysql_real_escape_string() function:
$uname=mysql_real_escape_string($_GET['uname']);
$pword=mysql_real_escape_string($_GET['pword']);
But since escaping is the part of the framework you use, you already have this in your code:
$uname=$db->escape($_GET['uname']);
$pword=$db->escape($_GET['pword']);
I can guess, that those lines do the trick, so nothing else is needed.
$uname = preg_replace("#[^a-zA-Z0-9]#", "", $_GET["uname"]); // removes everything non-alphanumeric
But you need to define what "invalid" characters are.