Posted by Tom on 02/23/07 19:53

On Fri, 23 Feb 2007 06:11:01 -0800, peter wrote...
>
>> Is there really any time when I don't want to run every _POST and _GET
>> through mysql_real_escape_string() before I use that data in accessing the
>> database?
>>
>> In other words, is there a good reason why I shouldn't have a function
>> that walks through the POST[] and GET[] arrays and processes the
>> mysql_real_escape_string() function against the data in order to ensure
>> that there will be no attempts to do an SQL inject?
>
>You should be validating user input before you put it into the database and
>using that fucntion at the top of your script will hinder your validation
>attempts (as you will end up with escape characters in the string). If for
>example you ask someone their age in a form ensure it is an int. If it is an
>int then there is no need to use that function on it.
>
>

Definitely. Any type of form data is input from the outside world and sometimes
junk goes in by accident and other times on purpose. I would always check any
$_GET or $_POST variables before trying to use them in an SQL command. As you
mentioned Peter, if you are expecting a number back, that can be a pretty simple
check. If it's not an integer, you can use functions like "preg_match" and
regular expressions to validate the information also.

Tom
--
Newsguy.com
75+ days of Binary and Text Retention!
Higher levels of article completion!
Broader coverage of newsgroups

[Back to original message]