Posted by Jasper Bryant-Greene on 03/27/05 09:08

Ryan A wrote:
> Hi,
> Just a quick question, I have been reading a lot about SQL injection doing a
> s**tload of damage to many sites, I myself use a pagentation class which
> sends the page number from page to page in a $_GET['page'] request which
> gets used in a LIMIT parameter.
>
> From what i have been reading, wrapping all my GET and POST requests in a
> htmlentities() function should keep me safe....right? or what else should
> i/can i do?
>
> eg:
> $page= htmlentities($_GET[page]);
>
> Thanks,
> Ryan

htmlentities() is for displayed data. it will not protect against SQL
injection.

The best way to protect against SQL Injection is:
for string data, mysql_real_escape_string() or your database's equiv.
function
for all other data, type-check it with intval(), floatval() etc.

--
Jasper Bryant-Greene
Cabbage Promotions
www: www.cabbage.co.nz
email: jasper@cabbage.co.nz
phone: 021 232 3303

Public Key: Jasper Bryant-Greene <jasper@cabbage.co.nz> keyID 0E6CDFC5
Fingerprint: 2313 5641 F8F6 5606 8844 49C0 1D6B 2924 0E6C DFC5

[Back to original message]