Hi, Just a quick question, I have been reading a lot about SQL injection doing a s**tload of damage to many sites, I myself use a pagentation class which sends the page number from page to page in a $_GET['page'] request which gets used in a LIMIT parameter.
From what i have been reading, wrapping all my GET and POST requests in a htmlentities() function should keep me safe....right? or what else should i/can i do?
eg: $page= htmlentities($_GET[page]);
Thanks, Ryan
htmlentities() is for displayed data. it will not protect against SQL injection.
The best way to protect against SQL Injection is:
for string data, mysql_real_escape_string() or your database's equiv. function
for all other data, type-check it with intval(), floatval() etc.
-- Jasper Bryant-Greene Cabbage Promotions www: www.cabbage.co.nz email: jasper@xxxxxxxxxxxxx phone: 021 232 3303
Public Key: Jasper Bryant-Greene <jasper@xxxxxxxxxxxxx> keyID 0E6CDFC5 Fingerprint: 2313 5641 F8F6 5606 8844 49C0 1D6B 2924 0E6C DFC5
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
