ge********@gmail.com wrote in news:1137540834.595198.106210
@o13g2000cwo.googlegroups.com:
Hello everyone,
Put simply we have recently been the victims of a malicious hacker
because we were not aware of the dangers of SQL injection. Now, I am
adding addition validation to my forms and also GET variables (we are
using PHP). Does anyone have any good techniques for the kind of
validation I should be using to avoid SQL injection? I basically want
to create a PHP function, fun any form variables through the function,
and then stop the script from executing if any bad input in found.
Thanks for all of your help. I don't want us to lose all of our data
again!
GE
well, there are many ways to clean user input, and more than one should
be used at a time.
the first thing i do to ANY user input variable is addslashes(); which
will turn ' into /' and render ineffective any attempt to insert/delete
records from the database. i'm not sure if this
with any data i am expecting to be numerical, i is_numeric(); it, and
toss the user to an ugly error page if its not numeric
also, i rarely ever use anything the user gives me for direct use in my
database. if i need the user to tell me the name of a
column/database/field they need to use for a particular operation, i use
MY short forms/abbreviations, look for them, and then substitute the
right names. ie: in a url "search.php?value=416&searchtype=phone", my
script would say something like...
if($searchtype=="phone") {
$realquery = "SELECT * FROM TELEPHONES ETC ETC";
}
....instead of putting 'TELEPHONES' directly into the URL itself. by
using my own shorthand/abbreviations for real column names, table types,
or ANYTHING database, I can look out for those variables specifically and
ignore anything that isn't what im looking for. So in your case, mix up
the real form variable names with temporary ones.
I'm sure there are many other tips, but the main theme is: if you can
help it, trust NOTHING you get back from the user.
