|
Posted by tg-php on 03/27/05 00:38
Actually I was just about to look into this again myself since I'm working on a project that I'd like to protect from SQL injections.
htmlentities() is a start, but that's not going to protect you from someone using apostrophes (single quotes) and breaking your SQL in other ways.
While some of the things you need to guard against aren't really security issues, there's still a handful of things you want to do to your data before you put that data into a SQL string.
So if I could broaden the question and ask, in general, what people recommend for pre-processing data before it goes into a SQL statement.. for security and for things like making sure singlequotes and other special characters are escaped properly?
htmlentities()
addslashes() (if magic quotes isn't turned on right?)
What else?
-TG
= = = Original message = = =
Hi,
Just a quick question, I have been reading a lot about SQL injection doing a
s**tload of damage to many sites, I myself use a pagentation class which
sends the page number from page to page in a $_GET['page'] request which
gets used in a LIMIT parameter.
>From what i have been reading, wrapping all my GET and POST requests in a
htmlentities() function should keep me safe....right? or what else should
i/can i do?
eg:
$page= htmlentities($_GET[page]);
Thanks,
Ryan
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
___________________________________________________________
Sent by ePrompter, the premier email notification software.
Free download at http://www.ePrompter.com.
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.308 / Virus Database: 266.8.3 - Release Date: 3/25/2005
Navigation:
[Reply to this message]
|