[Tutorial] Prevent SQL Injection!
So, a few days ago I asked about how to prevent mysql injection. Someone suggested me to use only a
mysql_real_escape_string but that's not enough because someone can use shit like
ORDER BY and others that I will not tell you here. I found that replacing bad characters with nothing in my scripts will make it impossible for someone to perform an injection.
$post = mysql_real_escape_string($_GET['post']); $post = preg_replace('/[a-zA-Z _()-.,@]/', '', $post); $posts = mysql_query("SELECT * FROM posts WHERE id=$post");
what that does is in
line 1: replace characters like ' with \'
line 2: replace bad characters and letters (i only use numbers) with space. if you use letters too just erase the "a-zA-Z"
line 3: make a safe query.