I understand some ways are better than others in this one, and it looks like the PDO based implementations shine the most as far as SQL Injection. But would not the following be good enough - without implementing a PDO solution? 1- get the user input 2- for each input, deliberately enforce a data type ( that is date/string/integer ) and validate it. 3- for each input, deliberately enforce a data length ( for strings data length and for integer a valid range for example ) 4- check the magic_quotes_gpc and do the stripslashes and then the mysqli_real_escape_string() and the htmlentities. 5- and on top pf all this, I also check for the specific occurrences of these following words; if any exist, I just do not execute that SQL query. and that list is sysobjects, syscolumns, systypes, EXEC(@, CHAR(, exec%20, DECLARE%20@, wscript. CAST( CONVERT( 6- I also count the number of "0x" occurrences, if the user input contains more than 2 of "0x", again I do not execute that command. With all these in place, I don't know of a way that a userinput can still make it thru. These may raise a false negative on some valid user input that's coming from a textarea where the data type is string, and an accepted char length is big enough to create some havoc in the db, so be it, I reject that input. My question even after all these are there still ways to break in? All the aboce can be easily tucked in a function which does a data validation something like VallidateUserInput ( $_GET['first_name'], "varchar(100)",Please supply a first name that is less than 100 characters"); VallidateUserInput ( $_GET['age'], "smallint",Please supply an age that is between 1-20") Your insight is greatly appreciated on this. I also read somewhere that mysql does NOT allow statement chaining. So, that's even better. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
