To prevent user input from messing with your query you just need to
escape the characters used to delimit query values.

MySQL for example uses ' (single quote) to delimit values so you should
use addslashes() on all values.

This will make inserting values containing the ' character work and prevent
user input from manipulating your script to run arbitrary queries on your DB server.

The practical thing about MySQL is that it accepts quote delimited values even for
integer fields. However, if you want to make a 'db safe' integer you can use $var = 

For more advanced input validation, regular expressions can be very adequate but I'd 
recommend separating this from previous mentioned 'escaping' which is simply needed
for your DB to function properly and safe.


On Mon, 4 Feb 2002 17:18:20 -0000, Simon H wrote:

>I'm trying to validate an input form, for database INSERT/UPDATE.  I'm
>looking for a couple of Techniques and I cant seem to find examples

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to