I want to ensure no SQL attacks and the entire process of passing/receiving from the dbase is secure. All the security with quote, double quote stuff scares the hell out of me. I also here stories in a mysql table where people can do things like add: == droptable to the end of your script and it deletes the table or something. I fully understand how people can do SQL injection, just need advice on what is the best way I should prevent it: My current method (not coded yet, planning first) removes a lot of useability, but I think it will make security very good. Submitting data to database: (assuming for a message board) 1. Reject if characters entered other than A-Z a-z 0-9 ! . ; , ’ : ) ? £ @ + - = # ^ (i.e cant enter ") 2. use str_replace("\'", "'", $name); to replace the ' with \' (escape it but my method may be a little different) And obviously reverse it before displaying again. I cant use the mysql_real_escape_string() as I am using Caspio Bridge Web Services and not MySQL for this project. A database web services API. I wont use Magic Quotes, addslashes / stripslashes as this is deprecated from php 6 What about htmlentities??
Use this function: function quote_smart($value) { if (is_string($value))$value=trim($value); if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (empty($value)) return "''"; if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; } PHP:
Thanks for the reply, but you have obviosuly not read my post. I stated why I could not use magic_quotes, stripslashes AND mysql_real_escape_string.
mysql_real_escape_string() is a good solution for MySQl, but as you said you use "not MySQL", the best solution is to use parameterized queries if possible.