On 2003.11.8, at 00:04 Asia/Tokyo, Chris Shiflett wrote:
--- Shaun <[EMAIL PROTECTED]> wrote:does anyone know of a function i can include in my scrpits to ensure all
$_POST values sent from a page don't include any SQL?
It's only important that the data sent from the client will not be
executed by your database. Depending on which database you use, there is a
different way of escaping data. PHP's addslashes() is good for escaping
quotes that can cause problems with MySQL (even unintentionally).
A better approach, or at least something you should do also, is to make
sure all data is exactly the type of data you are expecting. Rather than
trying to prevent some specific type of attack that you may have heard of,
try instead to verify all of your data using very strict data filtering.
Otherwise, you basically make yourself vulnerable to every type of attack
you might not have heard of. That's a risky approach.
Have different users for different tasks. For example, one user can *only*
view (select) data. And another, can insert/alter data, etc...
- E -
__________________________________________________ Do You Yahoo!? Yahoo! BB is Broadband by Yahoo! http://bb.yahoo.co.jp/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
