Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
05-07-2006, 08:45 PM #1
- Join Date
- Sep 2004
- Thanked 0 Times in 0 Posts
Best protection against SQL injection.
Thanks for helping,
05-07-2006, 10:34 PM #2
- Join Date
- Sep 2005
- Sydney, Australia
- Thanked 632 Times in 622 Posts
When you set up an input field you know exactly what you want the field to be used for and so should have a good idea of what entries are valid for that particular field. So what you want to do on the server as soon as you retrieve the field is to validate the field as accurately as you can against what that expected input would be. If built-in functions exist that will handle the validation then use those. If the particular format doesn't fit a built-in function then use a regular expression. If only specific values are allowed (eg. from a select list) then validate that the value received is one from the list and discard anything else.
You also want to use htmlentities() for filtering output to the screen and mysql_real_escape_string for filtering data being written to mysql databases (and the closest equivalent if using a different database).