-
hammersoftwareAsked on October 10, 2019 at 6:48 AM
Just thought I'd mention, you're giving bad advice on how to solve SQL injection. Adding slashes is not going to work properly if the person is not using MySQL, which is why the php documentation for addslashes() specifically states that is bad advice and suggests that you use a database-specific method to solve it.
Instead a proper suggestion to tell the person wanting to save your data is to use prepared statements:
https://stackoverflow.com/questions/8263371/how-can-prepared-statements-protect-from-sql-injection-attacks/8265319
If you're using PHP, this can be accomplished via PDO or PEAR, or for MySQL specifically, you can use mysqli.
Using backslashes in SQL code can introduce a whole host of other problems.
From the same stackoverflow article:
For example, there(1) are(2) still(3) many(4) answers(5), including the second most upvoted answer suggesting you manual string escaping - an outdated approach that is proven to be insecure.
-
Richie JotForm SupportReplied on October 10, 2019 at 7:58 AM
Its true that Addslashes() is not good enough when dealing with multibyte encoded strings. However, it still does prevent SQL injections.
Prepared statements is indeed a good practice to use when updating/saving database.
Thank you for your advice and we will take note on this.
- Templates
- Integrations
- INTEGRATIONS
- See 100+ integrations
- FEATURED INTEGRATIONS
PayPal- Slack
- Google Sheets
- Mailchimp
- Zoom
- Dropbox
- Google Calendar
- Hubspot
- Salesforce
- See more Integrations
- Products
- PRODUCTS
- Form Builder
- Jotform Enterprise
- Jotform Apps
- Store Builder
- Jotform Tables
- Jotform Inbox
- Jotform Mobile App
- Jotform Approvals
- Report Builder
- Smart PDF Forms
- PDF Editor
- Jotform Sign
- Jotform for Salesforce Discover Now
- Support
