February 24th, 2000, 12:57 PM
I have a site running with PHP3 and MySQL on the back end.
There is an HTML form driving a set of search and update queries.
For checkbox and radio button input, it's easy enough to obscure the input so that no damage can easily be done during the query.
However, I was asked to add a text search field (i.e., Name contains _____).
this field (call it searchstring) seems to work fine generally, but I am concerned about exposure and properly validating the user's input. In one case, the field is used to update data and provides an opportunity for the user to insert something like :
Odonnell'delete * from employee;' which may have unpleasant effects on my database.
Where can I find reliable information on protecting my site from unexpected user input? I have seen a few comments in this forum about handling ticks in user input, etc. but nothing comprehensive on the subject.
February 24th, 2000, 01:05 PM
Check addslashes() and the magic_quotes directives.