I was just wondering if it can or not.

Otherwise wouldn't this code work great for stopping SQL injection?

$some_post = addslashes($_POST['some_post']);

if (!ctype_alnum($some_post)) {
	//error
} else {
	//all good
}

Recommended Answers

All 5 Replies

So you would prevent your customers from using punctuation of any kind Wouldnt that be a little hard for them I think it would make me crazy

It's for a username check on a registration form. Sorry I forgot to mention that.

Member Avatar

striptags or htmlentities. mysql_real_escape_string as standard cleaning.

Is there a way of protecting from all types of SQL injection?

Member Avatar

IMO, you can use just mysql_real_escape_string(), but when passing the var on as an integer, there is no "" or '' around the value placeholder inside the query. This could pose a problem, therefore, you should validate (server-side) the variables for type (eg integer, float etc).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.