I was just wondering if it can or not.
Otherwise wouldn't this code work great for stopping SQL injection?
$some_post = addslashes($_POST['some_post']);
if (!ctype_alnum($some_post)) {
//error
} else {
//all good
}
Tehim
0
Light Poster
Recommended Answers
Jump to PostSo you would prevent your customers from using punctuation of any kind Wouldnt that be a little hard for them I think it would make me crazy
Jump to Poststriptags or htmlentities. mysql_real_escape_string as standard cleaning.
All 5 Replies
griswolf
304
Veteran Poster
So you would prevent your customers from using punctuation of any kind Wouldnt that be a little hard for them I think it would make me crazy
Tehim
0
Light Poster
It's for a username check on a registration form. Sorry I forgot to mention that.
diafol
striptags or htmlentities. mysql_real_escape_string as standard cleaning.
Tehim
0
Light Poster
Is there a way of protecting from all types of SQL injection?
diafol
IMO, you can use just mysql_real_escape_string(), but when passing the var on as an integer, there is no "" or '' around the value placeholder inside the query. This could pose a problem, therefore, you should validate (server-side) the variables for type (eg integer, float etc).
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.