Welcome to WebmasterWorld Guest from 188.8.131.52
Can you tell me if this is secure or not?
[edited by: eelixduppy at 4:36 am (utc) on Feb. 21, 2008]
[edit reason] no URLs, please [/edit]
Not exactly. First off, by validation I do not mean measures to prevent SQL injection, but general security measures that should be taken. But an example of making sure the input is validated (clean), is for instance say you are looking for an integer to be input in a form. You want to check to first see if this is indeed an integer, and if it is not prompt for it to be submitted again. And then once it is an integer, be safe and still escape it before using it in a query. The reason you want to validate it to make sure it is an integer, is so that you don't get unexpected results from functions, etc, when you think you have an integer but in reality, with the validation, you may have a string of other random characters that will cause your application to fail.
#connect to db server, select database...
$input = $_POST['input'];
$query = "SELECT * FROM `table` WHERE `field` = '".mysql_real_escape_string($input)."'";
This should sufficiently protect you from SQL injection.