The use of mysql_real_escape_string() is your first line of defense against "SQL injection" by hackers. If you neglect to use it, you run the risk that someone will find your web form and enter in the "name" input box:
Many thanks. As I said I'm a noob and that's the type of advice I'm looking for. The management portion of the site is closed to most people but it would be nice to prepare for the 13 year old attack.
Sidenote: I would advise you not to use the ereg functions, but instead switch to the preg functions. PCRE is generally considered more powerful and faster.
So my brain has stopped working. All I really wanted to do here is make sure that nothing that could delete the table could be included or whatever exploits are out there for scumbags to use. Am I wasting my time with pattern matching? If I just include the mysql_real_escape_string does that accomplish the task? Is there a similar function like is_numeric for is alphanumeric with periods, commas, and quotations. I know these may seem like dumb questions but I'm just not getting it.
jeaux wrote:So my brain has stopped working. All I really wanted to do here is make sure that nothing that could delete the table could be included or whatever exploits are out there for scumbags to use. Am I wasting my time with pattern matching? If I just include the mysql_real_escape_string does that accomplish the task? Is there a similar function like is_numeric for is alphanumeric with periods, commas, and quotations. I know these may seem like dumb questions but I'm just not getting it.
Many thanks for your time.
Joe
Sorry, I didn't really focus on what you were trying to do. The subject of sql injection, and security in general is a broad one, and I'm not competent to offer authoritative advice, but there is an entire Security forum here that you might want to check. At my level of security knowledge, it's my understanding that mysql_real_escape_string() is a major step that defeats the simple exploits, also handles apostrophes in text, etc. I'm sure that, by itself, it's not a cure-all for security.