 Best Way To Stop Sql Injections, sql injection |
|
|
|
|
  |
 Jun 18 2005, 07:49 AM
Post
#11
|
|
|
Privileged Member  Group: Members Posts: 622 Joined: 30-October 04 From: Philippines Member No.: 2,049  |
QUOTE(SystemWisdom @ Jun 18 2005, 04:49 AM) PHP to allow only letters/numbers: CODE function isAlphaNumeric( $szInput ) { return (bool) preg_match( '/^[a-zA-Z0-9]$/', $szInput ); } // usage: if( isAlphaNumeric( 'mystring123' ) ) { // valid }else { // invalid } I hope that helps!  Where did you get this code? And how did you learn to use preg function and the ereg function? |
 |
 
|
|
Jun 19 2005, 02:31 PM
Post
#12
|
|
|
Super Member Group: Members Posts: 378 Joined: 8-January 05 Member No.: 3,174 |
You can make your own checking function to strip strange characters and quotation marks, but you might as well use the excellent PEAR DB functions for just that issue. And Trap17 has PEAR installed, so you don't have to worry about that either.
Just use the prepare() and execute() functions like so: CODE <things you want to do here> require_once("PEAR.php"); require_once("DB.php"); PEAR::setErrorHandling(PEAR_ERROR_DIE, "Aaaaargh! Error: %s"); $conn = DB::connect("mysql://username:password@localhost/databasename"); $preparedstatement = $conn->prepare('INSERT INTO tablename (field1, field2, field3, field4) VALUES (?, ?, ?, ?)'); $data = array($variable1, $variable2, $variable3, $variable4); $conn->execute($preparedstatement, $data); } You will obviously have to change usernames/passwords/db name and set the variables and change table and field names to whatever you are using.  And if it's a guestbook or forum like thing you might want to do something like: CODE $variable=htmlspecialchars($_POST['variable'], ENT_QUOTES); to set HTML entitys.PEAR is a bunch of PHP packages with all sorts of handy functions. You can get more info about PEAR at pear.php.net and more about the PEAR DB package and how to use it here. |
|
|
|
|
Similar Topics
| Topics | Topics | |
|---|---|---|
|
|
|
Lo-Fi Version | Time is now: 20th November 2008 - 10:58 AM |