Personally, I always check variables that I'm using in a query. If I'm
expecting eg a session id (32 hex characters) I check that the session id is
a valid one - ie "!$[0-9a-f]{32}$!" (I use ! as delimiter in regexps).
Allthough mysql_escape_string will probably protects me from injections, I
still verify the data.
Jos
-----Original Message-----
From: mayo [mailto:mayo@xxxxxxxxxxxxxxxxxx]
Sent: 16 May 2005 23:55
To: php-db@xxxxxxxxxxxxx
Subject: sql injection attack, protection from
I'm new to PHP and would like to make certain that I have the basic
protection for the site:
Use double quotes to contain variable
Use mysql_escape_string so that query is considered part of the WHERE
clause.
$result=mysql_query('SELECT * FROM users WHERE
username="'.mysql_escape_string($_GET['username']).'"');
I'm pulling prices from a database and sending the item ID which has 4
characters (1001, 1002, etc.)
Is the following unnecessary with mysql_escape_string?
if (preg_match("/^\w{4,4}$/", $_GET['username'], $matches))
$result = mysql_query("SELECT * FROM items WHERE
itemID=$matches[0]");
else // we don't bother querying the database
echo "itemID not accepted";
Thanks
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
