Page 1 of 1

MySQL Injection

Posted: Fri Mar 23, 2007 4:24 pm
by user___
Hi guys,
I have a site which has some input fields which are filled by users. I use this :mysql_real_escape_string to prevent from SQL injection as well as checking the input with sutom functions.
Is it enough secure(I know that there is always more to be created) and do you know a better technique?

Posted: Fri Mar 23, 2007 4:45 pm
by RobertGonzalez
Can you post some of your filtration/validation code so we can tell you from a code perspective?

Reply

Posted: Fri Mar 23, 2007 4:58 pm
by user___
Well, when a user enters their usernames they are supposed to use letters, numbers, and _ so I kust have a function like that:

Code: Select all

$username = str_replace($i, "", $username);//$i is an integer in a loop
$username = str_replace($letter[$i] "", $username);//$letter[$i] is a letter in a loop
$username = str_replace("_", "", $username);//Replace
//Then count characters left in $username and if  they are 0 return true else return false

Posted: Fri Mar 23, 2007 5:07 pm
by feyd

Code: Select all

return preg_match('#^[a-z0-9_]+$#is', $name);
shortened. :)

Posted: Fri Mar 23, 2007 5:09 pm
by RobertGonzalez
You can use a simple regular expression to check for that.

Reply

Posted: Fri Mar 23, 2007 5:29 pm
by user___
Thank you, guys.