--- Shaun <[EMAIL PROTECTED]> wrote:
> does anyone know of a function i can include in my scrpits to ensure all
> $_POST values sent from a page don't include any SQL?
It's only important that the data sent from the client will not be
executed by your database. Depending on which database you use, there is a
different way of escaping data. PHP's addslashes() is good for escaping
quotes that can cause problems with MySQL (even unintentionally).
A better approach, or at least something you should do also, is to make
sure all data is exactly the type of data you are expecting. Rather than
trying to prevent some specific type of attack that you may have heard of,
try instead to verify all of your data using very strict data filtering.
Otherwise, you basically make yourself vulnerable to every type of attack
you might not have heard of. That's a risky approach.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
