I have always either used parameterized queries or just done a
$p.replace("'","\\'"). Is there something beyond a ' that I would have
to worry about escaping inside a quoted string (like a terminating
character, i have been assuming that all the other characters except
the ' are escaped at the lower layer)?
Also, a note, its important to also escape data thats coming out of
the database too. For instance, user comments, usernames,
descriptions, etc. I know its easy to do in ruby on rails and django,
so i can only guess given php's comprehensiveness that there is a
similar php function.
-Nikolaj
On 8/23/07, George <[EMAIL PROTECTED]> wrote:
> As John said, you want to filter whatever comes back from the browser.
> If you have a single chokepoint for database access, good. If you have
> db queries scattered all over the code, you may have quite a bit of work
> to do.
>
> The PEAR Validate library is very good for checking input.
>
> Another thing you can do is to give the PHP application only the minimum
> privileges it needs to do its job. Maybe the application doesn't need
> to delete tables?
>
> Here is a simple function that will take eliminate most SQL injection
> attacks:
>
> function filter_sql($input) {
> $reg = "(delete)|(update)|(union)|(insert)";
> return(eregi_replace($reg, "", $input));
> }
>
> This was all covered in my class. See:
> http://wsms.wikiplanet.com/mediawiki/index.php/PHP/Validation
>
> George
>
>
> --
> [email protected]
> http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
>
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
