ZYV
January 9th, 2004, 05:23 AM
Hi!
Just a hint for the beginners. If you write some script which do the selects from the database basing on user input you may to the following to avoid SQL injection in numerical values:
$go = $_GET["go"];
settype($go, "integer");
To avoid injections in the string values you may want to use something like this:
$str = $_GET["str"];
$str = trim(addslashes(safestrip($str)));
//...........................
function safestrip($str) {
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return $str;
}
It will work correctly and does not depend on the magic_quotes_gpc value!
More anti-injection hints will follow...
Just a hint for the beginners. If you write some script which do the selects from the database basing on user input you may to the following to avoid SQL injection in numerical values:
$go = $_GET["go"];
settype($go, "integer");
To avoid injections in the string values you may want to use something like this:
$str = $_GET["str"];
$str = trim(addslashes(safestrip($str)));
//...........................
function safestrip($str) {
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return $str;
}
It will work correctly and does not depend on the magic_quotes_gpc value!
More anti-injection hints will follow...