So I started in the regex forum and was redirected here. Basically I want to insure that what is entered in a form is checked against sql exploits.
Here's a link to the other post that should give history for what I'm asking.
viewtopic.php?f=38&t=87169
Does mysql_real_escape_string protect against hacks to insure that the data entered can not destroy, delete preexisting data or compromise the DB in any way?
Thank you for your time,
Joe
Basic security for form action
Moderator: General Moderators
Re: Basic security for form action
It is neccessary, but not sufficient. Read my paper:
http://www.logris.org/security/the-unex ... -injection
What you are doing with regexps (use preg_* btw, it's way faster) is called validation, it's a part of the busyness logic of the application (what is a valid name according to our rules, how old should you be according to our rules). Escaping data before putting it in the database is mandatory and independent of what validation steps you have done before.
http://www.logris.org/security/the-unex ... -injection
What you are doing with regexps (use preg_* btw, it's way faster) is called validation, it's a part of the busyness logic of the application (what is a valid name according to our rules, how old should you be according to our rules). Escaping data before putting it in the database is mandatory and independent of what validation steps you have done before.