Sudhakar wrote:
A) validating username in php
If you do what needs to be done to prevent sql injection, it doesn't matter what you let users have for their user name.
B) preventing sql injection
htmlentities
this has nothing to do with sql injection it just is needed so when you print data to the screen that may include html entities, they display right.
addslashes
This is a generic way to escape things and is a bad idea since it doesn't know what system you are using for your DB so you can't be sure it does it right.
trim
This is handy when reading form data just so you don't store any extra spaces at the beginning and end of entries. Often users will inadvertently add a space to the end or have spaces the come in from copy and paste. Again nothing to do with sql injection.
mysql-real-escape-string
If you are using MySQL this is the only function you need to prevent sql injection. Simply run any variable that will be part of a query through this function and then put single quotes around all variables in your queries and sql injection will be a non issue. Example.... $UserName = mysql_real_escape_string($UserName); $query = "SELECT * FROM `user` WHERE `UserName` = '$UserName' "; run the query and all will be good. Many add the password to the where clause too but I prefer to use a php if statement to be sure the comparison is case sensitive (depending on the Collation you use in MySQL your conditional tests may or may not be case sensitive).
magic_quotes_gpc is ON
If you can, you should have this off. In php 6 Off will be the only option. With it on it adds slashes in an attempt to do a generic escape of characters to prevent sql injection. Since you can't be sure that will work right, the best bet is to read in your form data like this.... $UserName = trim(stripslashes($_POST['UserName'])); I do the same thing for all data read from forms. Then before I use the var as part of a query, I use the mysql_real_escape_string function on it. The only exception is when I am expecting an integer returned from a form, in which case I use this... $Status = (int) $_POST['Status']; that way no mater what the user or some hacker tries to get in, I am sure $Status contains an integer and I don't need to bother with the mysql_real_escape_string on that var. If magic_quotes_gpc is off, you can and should remove the strip slashes function call. Note the only reason I use trim is to get rid of any white space that may be at the ends of the string.
magic_quotes_runtime is OFF magic_quotes_sybase is OFF
These should both be off too. -- Chris W KE5GIX "Protect your digital freedom and privacy, eliminate DRM, learn more at http://www.defectivebydesign.org/what_is_drm"; Ham Radio Repeater Database. http://hrrdb.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
