Posted by Gordon Burditt on 12/27/06 01:39

>I would like to ask if Regular expression is the best way to deal with
>SQL injection attack, and no mysql_real_escape_string() is used:
>
>if(preg_match("[A-Za-z0-9](4,6)")){
> print "Success!";
>}
>
>In the above example, only character and digit are allowed. Other

You mean letter and digit, don't you?
Certain characters (e.g. single quote, double quote, backslash) are
ones that cause trouble.

>injection technique is no used.

Your approach will not work where valid input (e.g. of human names)
includes characters which need to be escaped (e.g. 'Miles O'Brien')
and spaces. On the other hand, it may work fine (if you change the
length limit) for inputting license plate numbers and possibly
product serial numbers. It will NOT work for inputting serial
numbers on US currency, which sometimes contain '*' as the last
character.

>Is it correct? Did I make any foolish assumptions or mistakes? Please
>let me know.

• Next in forum: MI5 Persecution: why won't the British police do their job and put a stop to it?
• Prev in forum: Re: Exposing Variables
• Thread view: Re: The best way to protect SQL injection?

[Reply to this message]