Code Forums - View Single Post

bdl · 03-08-2008, 06:51 PM

The best thing I can suggest is to research SQL injection, and pay attention to data types in the process.

Some tips:

Validate your data for the specific type and content you expect. PHP's ctype functions come in handy for quickly testing content and you can use some simple type juggling to make sure the data meets your requirements.

Use one of the native functions to properly escape data; if you're using MySQL, for example, there is a MySQL specific function for doing that. Not all RDBMS extensions have a native escape function, but most do. If the extension doesn't support it, consider using one of the available libraries, such as PEAR MDB2.

Parameterized queries are also a great tool; I suggest looking into using them if your library or extension provides that function.

03-08-2008, 06:51 PM	#2 (permalink)
bdl Senior Contributor Join Date: May 2002 Location: vta.ca.usa Posts: 555	The best thing I can suggest is to research SQL injection, and pay attention to data types in the process. Some tips: Validate your data for the specific type and content you expect. PHP's ctype functions come in handy for quickly testing content and you can use some simple type juggling to make sure the data meets your requirements. Use one of the native functions to properly escape data; if you're using MySQL, for example, there is a MySQL specific function for doing that. Not all RDBMS extensions have a native escape function, but most do. If the extension doesn't support it, consider using one of the available libraries, such as PEAR MDB2. Parameterized queries are also a great tool; I suggest looking into using them if your library or extension provides that function.