ravix76 Posted March 4, 2007 Share Posted March 4, 2007 Hi All, So I learned PHP and MYSQL, got my script up and running and then discovered this little thing called SQL injection... Yikes! I've been reading around figured Preg-Match is what I need to Validate that inputted strings only consist of A to Z characters... but then came across mysql_real_escape_string. I understand that this "escapes" all potentially "injectable" symbols eg. ' * etc. does this supercede using Preg-Match or should I do both? What is best practice? I have a monster script to go back through and implement all of this! Thanks all. Link to comment https://forums.phpfreaks.com/topic/41111-mysql_real_escape_string/ Share on other sites More sharing options...
Orio Posted March 4, 2007 Share Posted March 4, 2007 It's best to use as much as validation (such as using preg_match()) and security (such as using mysql_real_escape_string()). Just remember to use stripslashes() if magic_quotes is on before using mysql_real_escape_string(), so you won't escape things twice. Orio. Link to comment https://forums.phpfreaks.com/topic/41111-mysql_real_escape_string/#findComment-199125 Share on other sites More sharing options...
ravix76 Posted March 4, 2007 Author Share Posted March 4, 2007 Thanks Orio. Can anyone tell me is % a character I should be weary of allowing. My script is to create a product database, but some product names contain a % symbol (eg 100% Pure Grain Rice ). For my Preg-match, I'll be allowing [A-Z]|[a-z]|[0-9] & %. Is this ok? Thanks again... Link to comment https://forums.phpfreaks.com/topic/41111-mysql_real_escape_string/#findComment-199481 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.