Page 1 of 1
querying MySQL
Posted: Tue Apr 03, 2007 1:34 pm
by guitarlvr
I know when inserting/updating a record in a database you want to run regex to clean up the input from the form. When only selecting items in a database using form input, would I want to go through the extra processing power of using regex or is it ok to accept whatever the user inputs since it isn't actually inserting the input into the database?
Wayne
try addslashes() function and stripslashes() function
Posted: Tue Apr 03, 2007 2:16 pm
by christian_phpbeginner
Hi,
Why would you want to have an extra processing power to SELECT / VIEW data from the database ? It won't be useful anyway, because the WRONG data was already inserted or updated into the database.
The extra processing power by using REGEX in this case would be suitable when INSERTING or UPDATING data into the database. If you do that, you will have the correct data stored in your database....means, you would SELECT / VIEW the correct DATA !
If you want to select data from the database, you will need the stripslashes() PHP built-in function.
Posted: Tue Apr 03, 2007 2:36 pm
by guitarlvr
I definitely make sure valid data is being inserted into the database. I just wasnt sure if i should be validating data before i did my select statements. I didnt t hink i would have to validate it since there is valid data in the database.
Thanks for your response
Wayne
Posted: Tue Apr 03, 2007 3:26 pm
by RobertGonzalez
Always validate your users input. Always. Just because you are selecting with the input doesn't mean that a user can't sneak SQL into the string and cause all sorts of mischief with your data.
Lookup XSS and the like on google. Never trust user input. Never.