If you know you are using MySQL, you could pass all database input through mysql_real_escape_string. Or you could use prepared statements and not have to worry about escaping the data, as MySQL *knows* it's data. You'll probably not be able to defeat XSS in any meaningful way, however... Perhaps you need to EDUCATE the authorized people... On Thu, April 5, 2007 9:17 am, Bing Du wrote: > Hi, > > I'm not an experienced PHP developer. We're hosting a content > management > system that allow authorized people to add PHP contents. Their PHP > coding > levels varies. Some are very security sensitive, but some are not. I > want to know if PHP has any ready-to-use funtion to validate form > input to > help prevent SQL injection/XSS? So each programmer doesn't have to > write > their own form validation code. I'd appreciate any advice or > pointers. > > Thanks in advance, > > Bing > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
