ctype_alnum vs mysql_real_escape_string
Posted: Wed Jan 14, 2009 10:25 am
Hi all very very new to the forum, just wanted to ask a few questions on protecting against sql injection (or specifically how I've gone about it).
I'm currently looking at making a login form for a training company. I'm by no means an advanced php developer (yet!) but I'm looking to learn every step I take and above all make sure my code is secure before it goes live.
As the title implies, I was wondering what problems lie with using the ctype_alnum over the standard character escaping method for validating data? My usernames are all definitely alphanumeric so can any malicious queries still be made bypassing the ctype_alnum check?
As my usernames are unique, If the username validates as alphanumeric then I simply run a count query and make sure that one result is returned (preventing wildcard results yes?) so only if the username is of valid format and only one result is returned do we start checking any fields in the database. If the result is every greater than 1 then I think I'll have a log set up to record it or a mail notification of some sort.
Is there anything I haven't considered here? Any comments would be greatly appreciated. ooh and I'll happily submit my code example if I haven't explained myself clearly.
If anyone can help, thanks in advance...
I'm currently looking at making a login form for a training company. I'm by no means an advanced php developer (yet!) but I'm looking to learn every step I take and above all make sure my code is secure before it goes live.
As the title implies, I was wondering what problems lie with using the ctype_alnum over the standard character escaping method for validating data? My usernames are all definitely alphanumeric so can any malicious queries still be made bypassing the ctype_alnum check?
As my usernames are unique, If the username validates as alphanumeric then I simply run a count query and make sure that one result is returned (preventing wildcard results yes?) so only if the username is of valid format and only one result is returned do we start checking any fields in the database. If the result is every greater than 1 then I think I'll have a log set up to record it or a mail notification of some sort.
Is there anything I haven't considered here? Any comments would be greatly appreciated. ooh and I'll happily submit my code example if I haven't explained myself clearly.
If anyone can help, thanks in advance...