I'm new to PHP and would like to make certain that I have the basic
protection for the site:
Use double quotes to contain variable
Use mysql_escape_string so that query is considered part of the WHERE
$result=mysql_query('SELECT * FROM users WHERE
I'm pulling prices from a database and sending the item ID which has 4
characters (1001, 1002, etc.)
Is the following unnecessary with mysql_escape_string?
if (preg_match("/^\w{4,4}$/", $_GET['username'], $matches))
   $result = mysql_query("SELECT * FROM items WHERE
 else // we don't bother querying the database
   echo "itemID not accepted";

Reply via email to