Re: [PHP] question about validation and sql injection

Date: Fri, 16 May 2008 10:39:53 +1000
From: Chris <dmagick@xxxxxxxxx>
Subject: Re: [PHP] question about validation and sql injection

Dmitri wrote:
> your validation looks good enough to me. If you only allow
> alphanumerical chars, then your should not be worried about sql injection
> also use addslashes($username) before you insert into database and you
> should be fine.
> 
> Usually addslashes is enough to prevent this, but the validation that
> you have is also enough. So if you worried about the sql injection, then
> use both and you should be fine.

Ahh, that's just wrong.

I can encode an sql query into hex code and that'll pass alpha-numeric
validation.

Use mysql_real_escape_string when you save your data, or use
parameterized queries.

http://www.php.net/mysql_real_escape_string
http://www.php.net/manual/en/pdo.prepared-statements.php
http://www.php.net/manual/en/mysqli.prepare.php

-- 
Postgresql & php tutorials
http://www.designmagick.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

References:
- [PHP] question about validation and sql injection
  - From: Sudhakar
- Re: [PHP] question about validation and sql injection
  - From: Dmitri

Prev by Date: Re: [PHP] question about validation and sql injection
Next by Date: Re: [PHP] Good HTML parser needed
Previous by thread: Re: [PHP] question about validation and sql injection
Next by thread: [PHP] Re: question about validation and sql injection
Index(es):
- Date
- Thread

lists-archives.org

Re: [PHP] question about validation and sql injection