[thelist] making text boxes more secure
Chris W. Parker
cparker at swatgear.com
Fri Sep 19 12:18:10 CDT 2003
Nan Harbison <mailto:nansmith at heritageconcord.org>
on Friday, September 19, 2003 9:39 AM said:
> $Array[username] = strtolower($Array[username]);
> $username = stripslashes($Array[username]);
> $username = ereg_replace ("'", "", $username);
> $username = ereg_replace (";", "", $username);
> $username = ereg_replace ("select", "", $username);
> $username = ereg_replace ("insert", "", $username);
Really all you need to do to protect against SQL injection (as far as I
understand it) is addslashes(). That will effectively escape all
potentially malicious characters.
www.php.net/addslashes
Original string
"This is the bad string ' AND 1=1"
Now with addslashes()
"This is the bad string \' AND 1=1"
When this NEW string is passed to the db it will be harmless. You only
need to use stripslashes() when pulling information out of a database
that's already had addslashes() applied to it.
If you want to do more than just add or strip slashes you should put
your code into a function so that it's easier to use later.
function make_safe_text($input)
{
$input = addslahes($input);
$input = strtolower($input);
return $input;
}
Hope this helps.
Chris.
p.s. Please correct me where I'm wrong people.
More information about the thelist
mailing list