Hi guys,
I have a site which has some input fields which are filled by users. I use this :mysql_real_escape_string to prevent from SQL injection as well as checking the input with sutom functions.
Is it enough secure(I know that there is always more to be created) and do you know a better technique?
MySQL Injection
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Reply
Well, when a user enters their usernames they are supposed to use letters, numbers, and _ so I kust have a function like that:
Code: Select all
$username = str_replace($i, "", $username);//$i is an integer in a loop
$username = str_replace($letter[$i] "", $username);//$letter[$i] is a letter in a loop
$username = str_replace("_", "", $username);//Replace
//Then count characters left in $username and if they are 0 return true else return false- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Code: Select all
return preg_match('#^[a-z0-9_]+$#is', $name);- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA