[thelist] Avoiding SQL Injection

kris burford kris at midtempo.net
Mon Mar 21 13:12:08 CST 2005

>I understand what SQL Injection is, and have read some articles on
>it. The one thing I'm not quite sure of is how restrictive I need to be
>in a form input field which should allow free-form text. I will be
>putting this into a database table for suggestions.

this is the function i call to do this. hope it helps.


function my_htmlspecialchars($t="")
        // Use forward look up to only convert & not {
        $t = preg_replace("/&(?!#[0-9]+;)/s", '&', $t );

        $t = str_replace( "<", '&lt;'  , $t );
        $t = str_replace( ">", '&gt;'  , $t );
        $t = str_replace( '"', '&quot;', $t );
        $t = str_replace( "'", '&#039;', $t );
        return $t;

More information about the thelist mailing list