Preventing SQL Injection

Pests

What are some steps that can be taken to prevent SQL Injection? What functions should be applied to data going into a SQL query for mysql?

Currently I have register_globals turned off, use $POST, $GET, and LIMIT my querys. I'm still trying to find out which functions to apply to which types of information to make it SQL safe.

For example, what should you do for an ID used in a select, update, delete querys? What about for things that you are not going to be showing to users? Things that will be shown (posts on a forum, ect, ect).

What should be used to remove all html and javascript from the text to perfect XSS?

olaf

I'm not really sure whats your problem... butg you know that database actions are serverside and only the html which is in the script will show up in the browser...

Pests

Yes. What functions to use to make user data SQL safe?

olaf

the most of the times you only addslashes... because you have already a statement and just diff. values inside thi statement.

tsinka

Hi,

you can use the mysql_escape_string function to ensure that the values submitted get escaped properly for use in a mysql query.

Additionally, use e.g.

WHERE field='value' in your queries instead of

WHERE field=value

This combined with mysql_escape_string should do it.

Thomas

Pests

Yes, I use `` and '' as well. Thanks.