Dmitri wrote: > your validation looks good enough to me. If you only allow > alphanumerical chars, then your should not be worried about sql injection > also use addslashes($username) before you insert into database and you > should be fine. > > Usually addslashes is enough to prevent this, but the validation that > you have is also enough. So if you worried about the sql injection, then > use both and you should be fine.
Ahh, that's just wrong. I can encode an sql query into hex code and that'll pass alpha-numeric validation. Use mysql_real_escape_string when you save your data, or use parameterized queries. http://www.php.net/mysql_real_escape_string http://www.php.net/manual/en/pdo.prepared-statements.php http://www.php.net/manual/en/mysqli.prepare.php -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
