Welcome to WebmasterWorld Guest from 220.127.116.11
I use preg_replace to error out on anything other than a-zA-Z and use mysql_real_escape to query the database.
Of course you are also including regular punctuation and spaces?
What about this, for example?
If properly crafted,
select username,password from user_table where user=3273 or 1=1
Since 1=1 is always true, this simple example would display all user names and passwords in the database.
Before completely cleansing you should look for patterns used to inject commands into your input fields, including but not limited to drop, insert, update, or, and . . .
The equal sign can be encoded, but yeah that should stop that attack . . .but there are many others, as mentioned. If they can figure out your database table names, what about
delete from table
insert into table
That is what I do not understand. How could they possibly get by that preg_replace and mysql_real_escape? Unless your thinking is space and quotes were being allowed. But even if that were case I believe mysql_real_escape would still stop that from happening, correct?
[edited by: Kahless at 8:32 pm (utc) on May 14, 2009]