Re: [PHP] How to improve sql query security using php? From: Cary Collett (cary <email protected>)
Date: 09/30/00

You should use substr or preg_replace to escape or get rid of
characters you know you don't want. The big ones you will want to
get rid of, or escape are of course \, _, %, " and ' (the
apostrophe). You can use addslashes to escape ", ' and \.

Cary

Thus spake Richard Creech (richardc <email protected>):

> Hi All,
> Great list!
>
> I have a simple html form which accepts an email address and password.
> I run this query:
>
> SELECT $emailfield, $passwordfield FROM $userstable WHERE $emailfield = '$loginemail'
>
> but what if the user enters the character "%@%", or other nasty things for the variable called $loginemail? I understand client side Javascript can be easily defeated, and that a LIMIT 1 will work -but not in other queries - which is what I will need. I don't want crackers piping out my complete data set. I need to get a better handle on this security issue. What's the BEST thing I can do here to improve my sql security using php?
>
> Regards,
> Richard Creech
> http://dreamriver.com
> richardc <email protected>
> Phone 250.744.3350 Pacific Time
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: php-general-unsubscribe <email protected>
> For additional commands, e-mail: php-general-help <email protected>
> To contact the list administrators, e-mail: php-list-admin <email protected> 

-- 
Cary Collett                                               cary <email protected>
http://cary.ratatosk.org/

"To me boxing is like ballet, except that there's no music, no choreography,
and the dancers hit eachother." -- Jack Handy

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: php-general-unsubscribe <email protected>
For additional commands, e-mail: php-general-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>