-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reinhart Viane wrote: > > Seems that the only and best way to prevent mysql injection is the > combination of mysql_real_escape_string combined with value validation. > Yes, this should be what you use. When you think about application design, not only should you escape the data going into the database for security purposes. DBMS's have certain characters specific to them that can make the DMBS think what's been inputted as a quote, but PHP won't see it as a quote, and magic_quotes, addslashes, etc. won't catch it - still leaving a security hole. You should also be making sure you're inserting the proper data (ints in integer fields, strings in varchar, char, text, etc. fields) so that your DBMS doesn't start spitting SQL errors out in a log (or worse yet - to your visitor) and cause nightmares for visitors entering seemingly valid data when they aren't. This is definitely done in the case where you don't have quotes around your data in the SQL query - as is done sometimes with integer, double, etc. Easy validation for integer: is_numeric($_POST['var']) Easy way to just straight-up typecast: $clean['var'] = (int) $_POST['var']; The best way is to check to see if it is_numeric rather than force it's type to be integer - but for simplicities sake, it can be used. - -- Christopher Weldon, ZCE President & CEO Cerberus Interactive, Inc. cweldon@xxxxxxxxxxxxxxxxxx 979.739.5874 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFBXHEZxvk7JEXkbERAuf/AJ9Rs8TxgKjNlK6XR59KykTq3OXUdACeNPaW O5j8lNIEWIaPA56ZdCttaUA= =+ur0 -----END PGP SIGNATURE----- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
