As John said, you want to filter whatever comes back from the browser.
If you have a single chokepoint for database access, good. If you have
db queries scattered all over the code, you may have quite a bit of work
to do.
The PEAR Validate library is very good for checking input.
Another thing you can do is to give the PHP application only the minimum
privileges it needs to do its job. Maybe the application doesn't need
to delete tables?
Here is a simple function that will take eliminate most SQL injection
attacks:
function filter_sql($input) {
$reg = "(delete)|(update)|(union)|(insert)";
return(eregi_replace($reg, "", $input));
}
This was all covered in my class. See:
http://wsms.wikiplanet.com/mediawiki/index.php/PHP/Validation
George
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
