|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
PHP for preventing SQL injections?
From: Ulf Harnhammar (metaur
operamail.com)
Date: Wed Sep 17 2003 - 03:15:54 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> i.e. /[a-zA-Z0-9\.\_\-\/:\;\,\!\"\$\%\&\(\)\{\}\?\\^\#\\\+\*\~\>\<\|\s\t]+/
> should be enough ... perhaps i've missed some also needed
> chars.
Well, this regex isn't grounded either to the beginning or the end, so it's possible to get bad things past it. It also doesn't check the length of data, which I feel is a good thing, to avoid buffer overflows.
A better regex would be:
^[-_.:;.!A-Za-z0-9\s]{1,100}$
The set of allowed characters will vary depending on the circumstances, what country the users are in and so on.
// Ulf Harnhammar
kses - PHP HTML/XHTML filter
http://sourceforge.net/projects/kses
--
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year
Powered by Outblaze
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]