MYSQL INJECTION, how to stop it?

[Orionsbelter]

hi i know the mysql_espace_string()  and the addslashes() but what i need to know is are there any other ways and also can i use these for username string for example if someone logs in to my websites and it addslashes wont it just totally change the username?

 

e.g. username's login would change to username'/s login then my website would think its a invaild username wouldn't it ?

 

and is there a fucntion to remove these slashes?

 

[awpti]

Use regular expression.

 

Best to force usernames to be A-Z a-z 0-9.

 

Match that and you'll be fine for usernames.

[Orionsbelter]

thanks but not very helpful

[nadeemshafi9]

use ereg to find characters from an arrray that u impliment.

[Jmz]

Well if you used addslashes on the register page the username would be "username'/s login" if you also use addslashes on the login page then it would still be "username'/s login" so it would work.

 

You could then use stripslashes() to remove the ' if you wanted to print it to the screen.

 

But like awpti said, you should keep it alphanumeric if you can.

[JasonLewis]

Regular Expressions:

if(preg_match("/^[a-zA-Z0-9]+$/",$username)){
die("Good username");
}else{
die("Bad username");
}

[waynewex]

DO NOT use addslashes.

 

Always use mysql_real_escape_string() instead while a mySQL connection is in existence.

 

addslashes is open to being fooled.

 

As the guys above said, try to force usernames into being only A-Z 0-9.

 

On list menu forms, give you options corresponding numbers and then check if they are numeric with is_numeric() which returns a 1 if it is.

 

Try to use only numerical values for GET values and check to see if they are numerical (also use strip_tags).

[waynewex]

Also check out prepared statements with sprintf().

 

Also, see http://www.homeandlearn.co.uk/php/php13p5.html