After realising how easy it is for a malicious user to inject an sql query
into a paramenter for a query, e.g:
$query = "SELECT name FROM employees WHERE ID = ".$HTTP_GET_VARS['id']
And the user enters for the query string: mypage.php?id=1 UNION DISTINCT....
I'm trying to work out what level of protection is needed. As far as I can
see, for integer values I should just validate that a numeral has been
entered, and for text the addslashes() or mysql_escape_string() functions
are enough. Am I right in saying this?
Thanks,
Peter.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.713 / Virus Database: 469 - Release Date: 30/06/2004