phat_hip_prog Posted September 10, 2007 Share Posted September 10, 2007 Heyho! When validating user input I check it's not empty and then run 'mysql_real_escape_string($s)', I was then going to make sure that it is only alphanumeric, but I wanted to allow certain other characters as well. Realising this must be done before the mysql escape check, what characters should be blocked because they are dangerous, I can only really think of quotes and $. The real escape check should handle the quotes issue, so is the $ an issue or not? :-\ Quote Link to comment Share on other sites More sharing options...
Ninjakreborn Posted September 10, 2007 Share Posted September 10, 2007 Regular Expressions. Quote Link to comment Share on other sites More sharing options...
phat_hip_prog Posted September 10, 2007 Author Share Posted September 10, 2007 How do you mean, yes to remove undesirables i'd use preg_replace(), but are you saying some form of regex could be evaluated just by being in there??? Surely not? There are two points where input is evaluated, well one really and that's input by admin only... Please clarify and example if this is what you meant? Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted September 10, 2007 Share Posted September 10, 2007 so is the $ an issue or not? :-\ Not. mysql_real_escape_string() will take care of all "dangerous" characters for queries. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.