sql security

[falsepride]

sometimes its necessary to take user submitted data from a form in a query. without buffering data, things could probably get pretty nasty if the user wanted to mess things up. how should one probably buffer data to prevent tables from being deleted or values changed around?

[bdl]

The best thing I can suggest is to research SQL injection, and pay attention to data types in the process.

Some tips:

Validate your data for the specific type and content you expect. PHP's ctype functions come in handy for quickly testing content and you can use some simple type juggling to make sure the data meets your requirements.

Use one of the native functions to properly escape data; if you're using MySQL, for example, there is a MySQL specific function for doing that. Not all RDBMS extensions have a native escape function, but most do. If the extension doesn't support it, consider using one of the available libraries, such as PEAR MDB2.

Parameterized queries are also a great tool; I suggest looking into using them if your library or extension provides that function.

[falsepride]

what ctype functions would one need without being too excessive. i only want capital and lowercase letters, numbers, spaces, and standard other characters like /,-,(,), and maybe a few others