Preventing SQL Injection
Posted: Fri Sep 04, 2009 2:57 am
Most important point here to prevent SQL injection is verify user input data.
Use of a regular expression to match each data before processing can help.
To limit text to A-Z or a-z or 0-9 or _ characters, use following method.
This code will return 1 if the text is passed or else return 0. If it is zero then avoid processing data.
Similarly, if waiting for a $_GET based Record ID which needs to have only numbers, following method can be used.
In this was we can easily overcome with the SQL Injection attack.
Use of a regular expression to match each data before processing can help.
To limit text to A-Z or a-z or 0-9 or _ characters, use following method.
Code: Select all
$pattern = '/^[a-zA-Z0-9]+$/';
echo preg_match($pattern,'Expertcore');
Similarly, if waiting for a $_GET based Record ID which needs to have only numbers, following method can be used.
Code: Select all
$pattern = '/^[0-9]+$/';
echo preg_match($pattern,'453');