On Mon, 23 Jun 2003 08:59:56 +0300, you wrote: >Is there any way, doc, article, example, idea, suggestion to how to >prevent sql injection on php sites...
It's really not that hard to do. Rule 1: Never trust the client This means validating all data that comes from the client - make sure that integers are really integers, dates are really dates and in the correct range, etc etc. Never rely on Javascript alone to do this. But this is just good practice - you should be doing this kind of server-side validation already. Most importantly, escape any client-generated data before passing to your database. Eg use mysql_real_escape_string() for MySQL. In addition, your PHP scripts should be connecting to the database as a user with minimal permissions - eg they shouldn't have permission to delete data, drop tables, etc. unless they really need it. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
