When doing a database query with user-inputted data, how would I go about making sure the data is not ment as a hax0r, via Sql-Injection [php.net]?
For instance:
Code: Select all
$sql = "SELECT * FROM users WHERE username = $user LIMIT 1";What I do not understand from the sql-injection article is how to confirm the inputted data! For instance, we aren't looking at using an integer: It's a username, so we can't use [php_man]is_int()[/php_man].
More than likely, we are looking at something using preg_match or such, to remove the possibilities of comments / etc in the sql query, but what are your takes on this problem?
Note to moderators: Feel free to move this to "Database" if you feel like it is more relevant to the discussion there.
- Monkey