I have the following code:
$nome = $_POST['nome'];
$ip = preg_replace("/[^a-zA-Z0-9\.]/", "", $_POST['ip']);
$porta = preg_replace("/[^0-9\s]/", "", $_POST['porta']);
$site = preg_replace("/[^a-zA-Z0-9\.]/", "", $_POST['site']);
I'm handling some variables with the exception of one, as it needs to accept accentuation, how do I treat this variable correctly to avoid SQL Injection ? And get her to accept accents, strokes, and brackets?
You can use mysql_real_escape_string ( Documentation )
This function will not make you lose unwanted characters, such as the way you are doing. They will be encoded so that MYSQL understands them as part of string , not part of the code.
Please note that mysql_real_escape_string is OBSOLETE (see documentation in English)!
Warning This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
Alternatives to this function include:
mysqli_real_escape_string ()
PDO :: quote ()
I recommend using PDO or , always with prepare .
There's already an excellent answer from @rray on this subject: How to prevent SQL injection in my PHP code