--- Michael Rasmussen <[EMAIL PROTECTED]> wrote: > > To be clear: make sure the data that the user submitted only > > contains the characters you think are valid (don't bother trying > > to guess malicious characters - you're sure to miss one) and is a > > valid length. Once you've done this, and your design helps you to > > make sure that this step can't be bypassed by the user, you're > > protected against SQL injection. > > Or even better: Use only prepared statements.
Can you explain that (and defend it)? Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
