--- Shaun <[EMAIL PROTECTED]> wrote: > does anyone know of a function i can include in my scrpits to ensure all > $_POST values sent from a page don't include any SQL?
It's only important that the data sent from the client will not be executed by your database. Depending on which database you use, there is a different way of escaping data. PHP's addslashes() is good for escaping quotes that can cause problems with MySQL (even unintentionally). A better approach, or at least something you should do also, is to make sure all data is exactly the type of data you are expecting. Rather than trying to prevent some specific type of attack that you may have heard of, try instead to verify all of your data using very strict data filtering. Otherwise, you basically make yourself vulnerable to every type of attack you might not have heard of. That's a risky approach. Hope that helps. Chris ===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php