Personally, I always check variables that I'm using in a query. If I'm
expecting eg a session id (32 hex characters) I check that the session id is
a valid one - ie "!$[0-9a-f]{32}$!" (I use ! as delimiter in regexps).

Allthough mysql_escape_string will probably protects me from injections, I
still verify the data.


-----Original Message-----
From: mayo [mailto:[EMAIL PROTECTED]
Sent: 16 May 2005 23:55
Subject: [PHP-DB] sql injection attack, protection from

I'm new to PHP and would like to make certain that I have the basic
protection for the site:
Use double quotes to contain variable
Use mysql_escape_string so that query is considered part of the WHERE
$result=mysql_query('SELECT * FROM users WHERE
I'm pulling prices from a database and sending the item ID which has 4
characters (1001, 1002, etc.)
Is the following unnecessary with mysql_escape_string?
if (preg_match("/^\w{4,4}$/", $_GET['username'], $matches))
   $result = mysql_query("SELECT * FROM items WHERE
 else // we don't bother querying the database
   echo "itemID not accepted";

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to