[thelist] making text boxes more secure

Chris W. Parker cparker at swatgear.com
Fri Sep 19 12:18:10 CDT 2003

Nan Harbison <mailto:nansmith at heritageconcord.org>
    on Friday, September 19, 2003 9:39 AM said:

> $Array[username] = strtolower($Array[username]);
> $username = stripslashes($Array[username]);
> $username = ereg_replace ("'", "", $username);
> $username = ereg_replace (";", "", $username);
> $username = ereg_replace ("select", "", $username);
> $username = ereg_replace ("insert", "", $username);

Really all you need to do to protect against SQL injection (as far as I
understand it) is addslashes(). That will effectively escape all
potentially malicious characters.


Original string

"This is the bad string ' AND 1=1"

Now with addslashes()

"This is the bad string \' AND 1=1"

When this NEW string is passed to the db it will be harmless. You only
need to use stripslashes() when pulling information out of a database
that's already had addslashes() applied to it.

If you want to do more than just add or strip slashes you should put
your code into a function so that it's easier to use later.

function make_safe_text($input)
	$input = addslahes($input);
	$input = strtolower($input);

	return $input;

Hope this helps.


p.s. Please correct me where I'm wrong people.

More information about the thelist mailing list