I'm new to PHP and would like to make certain that I have the basic
protection for the site:
Use double quotes to contain variable
Use mysql_escape_string so that query is considered part of the WHERE
clause.
$result=mysql_query('SELECT * FROM users WHERE
username="'.mysql_escape_string($_GET['username']).'"');
I'm pulling prices from a database and sending the item ID which has 4
characters (1001, 1002, etc.)
Is the following unnecessary with mysql_escape_string?
if (preg_match("/^\w{4,4}$/", $_GET['username'], $matches))
$result = mysql_query("SELECT * FROM items WHERE
itemID=$matches[0]");
else // we don't bother querying the database
echo "itemID not accepted";
Thanks
