Am I covering my bases against MYSQL injection?

[danbee]

I've got a html page that takes in parameters from the address and passes them to a PHP script which accesses a MYSQL database. I'm only allowing alphanumeric characters with the exception of these symbols:

?

&

=

%

/

-

.

:

 

 

The scrubbing script I use is this:

$str = preg_replace('/[^a-zA-Z0-9?&=%\-.:\/ ]/i', '', $str);

 

Also, there are some variables that are numbers, so I run this following script to make sure it's numeric:

return (preg_match ("/^(-){0,1}([0-9]+)(,[0-9][0-9][0-9])*([.][0-9]){0,1}([0-9]*)$/", $value) == 1);

 

Is there anything else I need to worry about?

 

[per1os]

The main worry in SQL Injection is the "single quote". If the single quote is not escaped someone could do something like this:

 

' OR 1

 

Which would return all records, or they could get really creative and delete the entire table.

 

Any rate before entry into the database you should escape your data with www.php.net/mysql_real_escape_string  to escape proper characters that could potentially harm you.