Validating text area from a form

[FaRmBoX]

If a text area which updates a `description`field in MySQL is placed in front of you, how would I validate it to prevent SQL injections? What characters are a MUST to preg_match against to accomplish this?

 

If theres an easier way than to preg_match the text area, please do share. If possible, explain how the text area im typing into right this second fights off against an SQL injection. Pretty much any character can be typed in, am I right?

 

I hope you understand my question. Thanks.

[premiso]

To prevent SQL injection, simply use mysql_real_escape_string if you also want to prevent an XSS exploit use htmlentities as well, which will convert any special HTML characters to their proper entity.

 

Hope that helps.

[FaRmBoX]

Seems way too easy to just use mysql_real_escape_string(). Will this really prevent most, if not all SQL injections?

 

I remember reading somewhere that preg_matching a variable is much safer than mysql_real_escape_string().

[premiso]

As far as I know it will prevent all SQL Injections.

 

Now you will want to use regex if you need to validate values, such as a username cannot have certain characters or a password requires x characters etc. But for preventing SQL injections mysql_real_escape_string will do the trick, as that is what is coded for.

[pneudralics]

I usually do something like this

 

$description = mysql_real_escape_string(htmlentities(strip_tags(trim($_POST['description']))));