danbee Posted June 27, 2007 Share Posted June 27, 2007 I've got a html page that takes in parameters from the address and passes them to a PHP script which accesses a MYSQL database. I'm only allowing alphanumeric characters with the exception of these symbols: ? & = % / - . : The scrubbing script I use is this: $str = preg_replace('/[^a-zA-Z0-9?&=%\-.:\/ ]/i', '', $str); Also, there are some variables that are numbers, so I run this following script to make sure it's numeric: return (preg_match ("/^(-){0,1}([0-9]+)(,[0-9][0-9][0-9])*([.][0-9]){0,1}([0-9]*)$/", $value) == 1); Is there anything else I need to worry about? Quote Link to comment Share on other sites More sharing options...
per1os Posted June 27, 2007 Share Posted June 27, 2007 The main worry in SQL Injection is the "single quote". If the single quote is not escaped someone could do something like this: ' OR 1 Which would return all records, or they could get really creative and delete the entire table. Any rate before entry into the database you should escape your data with www.php.net/mysql_real_escape_string to escape proper characters that could potentially harm you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.