[RESOLVED] The bset to prevent sqlinjection?

Zpixel

input text boxes or 'GET' data could be filtered by

$input=addslashes($input);

is it enough?

and for validating email addresses

if(preg_match ('/^{(0-9a-zA-Z@([0-9a-zA-Z][-\w][0-9a-zA-Z]\.)+[a-zA-Z]{2,9})/',} $email)){ $validEmail ="Yes"; }

is it good or enough?

how can i make them stronger?
thanks.

devinemke

if you are using mySQL then definitely look at [man]mysql_real_escape_string[/man]

NogDog

addslashes() is too generic. You should either look into the specific filtering function for your DBMS (such as mysql_real_escape_string() suggested above if using the mysql interface) or use prepared statements (such as with the mysqli or PDO extensions).

See http://www.iamcal.com/publish/articles/php/parsing_email/ for a thorough discussion of email regular expressions and a suggested solution. A simpler but not quite as stringent solution is:

$email = filter_var(filter_var($_POST['email'], FILTER_SANITIZE_EMAIL),
         FILTER_VALIDATE_EMAIL);
if($email === false)
{
   // Houston, we have a problem....
}

Weedpacket

I'd definitely go with [man]PDO[/man]. Its parameter bindings automatically escape everything going into the query as appropriate. Plenty of other advantages, as well.

Zpixel

what about this?

prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
if(get_magic_quotes_gpc())
$input= stripslashes($input);

$input=str_replace('%','',$input); (or $input=ereg_replace('%','',$input)😉
$input=mysql_real_escape_string($input);

is stripslashes() needed for both GET or POST data?