E.g. currently I'm doing:

$abc=addslashes(strip_tags($_POST['abc']));

Should I also be doing a str_replace for words like "SELECT" etc?

Hi TravelSite,

This thread in our library may help:
[webmasterworld.com...]

dc

Aside from the useful thread linked above... The most straightforward way of doing it is to implement the PHP mySQPL "escape" function to any user input that is going to touch the database. Such as follows:

$firstname = mysql_real_escape_string($_REQUEST['firstname']);
//then use var 'firstname' where needed; etc

The reason I say most straightforward is that it will escape any characters that could cause harm. However, my understanding is that this is not 100% secure; but that it is significantly more secure than doing "add slashes" or "strip tags".

If you wish to "strip tags", I would do so... but after "real escape" is run on it first.

To be even safer, I usually run a regular expression against the input to automatically trash any unknown or unexpected characters. For example, if I'm asking for an 'age' and know that it should be returned as a number, I'll run a reg. exp. against it to strip out any non-numeric characters... and then use this result in the scripting (to validate, to put in DB, etc). This combined with the "real escape" function helps to stem injection by properly escaping and properly controlling input.

Hi dreamcatcher & CyBerAliEn,

- Thanks for the info. I've started changing things to use mysql_real_escape_string, all will read through the rest of it shortly.

Paul.