[PHP] regex and mysql - looking for opinions.
Im working on a site utilizing apaches/mysqp and of course php. Im working through the basic framwork creating forms to collect user input and do various searches etc. I was curious as to what most people find the best way keep thier mysql queries from getting messed up by user entered data. None of my searches or database data has or needs any sort of punctuation, so I was thinking of striping it all out from form input. What method is everyone else using? -- Larry H. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] regex and mysql - looking for opinions.
I use a special function just for reforming input, but they use the
following bits with PCRE:
$replace_wordwhite = '/[^\w\s]/';
$replace_word = '/\W/';
$replace_num = '/\D/';
$replace_email = '/[^\w\-\.@]/';
Works pretty well and it's quite useful for killing useless input without
returning errors, so the username (for instance) "B{o}b" it made into "Bob".
That way it's more or less forgiving of morons and malicious users alike :)
--
Plutarck
Should be working on something...
...but forgot what it was.
"Larry Hotchkiss" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Im working on a site utilizing apaches/mysqp and of course php. Im
> working through the basic framwork creating forms to collect user input
> and do various searches etc. I was curious as to what most people find
> the best way keep thier mysql queries from getting messed up by user
> entered data. None of my searches or database data has or needs any sort
> of punctuation, so I was thinking of striping it all out from form
> input. What method is everyone else using?
>
>
> --
> Larry H.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] regex and mysql - looking for opinions.
On Wednesday 18 April 2001 22:03, you wrote: > and do various searches etc. I was curious as to what most people find > the best way keep thier mysql queries from getting messed up by user > entered data. None of my searches or database data has or needs any Simply using addslashes () or the magic_quotes_gpc setting will do fine for strings. For numbers just cast them to int before inserting 'em in the query: $MyNum = (int) $MyNum; $Query = "INSERT INTO foo (intval) VALUES ($MyNum)'; -- Christian Reiniger LGDC Webmaster (http://sunsite.dk/lgdc/) /* you are not expected to understand this */ - from the UNIX V6 kernel source -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
