Page 1 of 1

Sanitizing code

Posted: Sat Feb 13, 2010 4:31 am
by lshaw
Hello

If you use preg_match() to check data should you still sanitize it afterwards, assuming you are not allowing any "" or \\ or other injection characters in pregmatch? eg. "/^[a-zA-Z0-9 _.-]+$/", which would not allow charaters for injection.

Re: Sanitizing code

Posted: Sat Feb 13, 2010 5:18 am
by social_experiment
If you are writing the values to a database i dont think you can be to sure of the data being entered into it by users you are not familiar with. It's best to use mysql_real_escape_string() if adding data to the database.