Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Sep 2004
    Posts
    137
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Best protection against SQL injection.

    ^topic

    Thanks for helping,
    Metsuo

  • #2
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,456
    Thanks
    0
    Thanked 632 Times in 622 Posts
    When you set up an input field you know exactly what you want the field to be used for and so should have a good idea of what entries are valid for that particular field. So what you want to do on the server as soon as you retrieve the field is to validate the field as accurately as you can against what that expected input would be. If built-in functions exist that will handle the validation then use those. If the particular format doesn't fit a built-in function then use a regular expression. If only specific values are allowed (eg. from a select list) then validate that the value received is one from the list and discard anything else.

    You also want to use htmlentities() for filtering output to the screen and mysql_real_escape_string for filtering data being written to mysql databases (and the closest equivalent if using a different database).
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •