[thelist] making text boxes more secure

Chris W. Parker cparker at swatgear.com
Fri Sep 19 12:18:10 CDT 2003


Nan Harbison <mailto:nansmith at heritageconcord.org>
    on Friday, September 19, 2003 9:39 AM said:

> $Array[username] = strtolower($Array[username]);
> $username = stripslashes($Array[username]);
> $username = ereg_replace ("'", "", $username);
> $username = ereg_replace (";", "", $username);
> $username = ereg_replace ("select", "", $username);
> $username = ereg_replace ("insert", "", $username);

Really all you need to do to protect against SQL injection (as far as I
understand it) is addslashes(). That will effectively escape all
potentially malicious characters.

www.php.net/addslashes

Original string

"This is the bad string ' AND 1=1"

Now with addslashes()

"This is the bad string \' AND 1=1"

When this NEW string is passed to the db it will be harmless. You only
need to use stripslashes() when pulling information out of a database
that's already had addslashes() applied to it.


If you want to do more than just add or strip slashes you should put
your code into a function so that it's easier to use later.

function make_safe_text($input)
{
	$input = addslahes($input);
	$input = strtolower($input);

	return $input;
}


Hope this helps.

Chris.


p.s. Please correct me where I'm wrong people.


More information about the thelist mailing list