I find for just numbers type_digit() works great combined with addslashes() but what about for a mixture, to prevent SQL injection?
Tehim
0
Light Poster
Recommended Answers
Jump to PostCan you be more specific about what you mean by "protecting"? Do you mean you want to hide/obscure the variable or its params from the user, or something else, like making your application securely use a $_GET variable?
Jump to PostYou can't 'protect' the actual data coming in, but you can clean it for DB input.
You can check the data type / validate the value.
If it passes the validation, you then clean it with mysql_real_escape_string(). No need for anything else. Just be careful with integer placeholders …
Jump to PostNope, I'm pretty sure that's all you need, as ardav said.
Jump to PostNo performace hit with this I shouldn't have thought.
Jump to PostThe preg_replace was to just try and cover some the sql injection that mysql_real_escape_string and htmlentities doesn't cover.
More filters or escaping will NOT improve the escaping of a variable. In fact it does the opposite - makes the filter less secure. (an example of this was an XSS injection …
All 19 Replies
TySkby
41
Junior Poster
diafol
Tehim
0
Light Poster
Tehim
0
Light Poster
Tehim
0
Light Poster
TySkby
41
Junior Poster
diafol
Tehim
0
Light Poster
diafol
Tehim
0
Light Poster
diafol
digital-ether
399
Nearly a Posting Virtuoso
Team Colleague
diafol
Tehim
0
Light Poster
Steven_B
0
Light Poster
Tehim
0
Light Poster
diafol
Steven_B
0
Light Poster
digital-ether
399
Nearly a Posting Virtuoso
Team Colleague
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.