MySQL Injection

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

MySQL Injection

Post by user___ »

Hi guys,
I have a site which has some input fields which are filled by users. I use this :mysql_real_escape_string to prevent from SQL injection as well as checking the input with sutom functions.
Is it enough secure(I know that there is always more to be created) and do you know a better technique?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Can you post some of your filtration/validation code so we can tell you from a code perspective?
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Well, when a user enters their usernames they are supposed to use letters, numbers, and _ so I kust have a function like that:

Code: Select all

$username = str_replace($i, "", $username);//$i is an integer in a loop
$username = str_replace($letter[$i] "", $username);//$letter[$i] is a letter in a loop
$username = str_replace("_", "", $username);//Replace
//Then count characters left in $username and if  they are 0 return true else return false
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Code: Select all

return preg_match('#^[a-z0-9_]+$#is', $name);
shortened. :)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You can use a simple regular expression to check for that.
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Thank you, guys.
Post Reply