PHP for preventing SQL injections?

["Ulf Harnhammar" <metaur () operamail com>]

> i.e. /[a-zA-Z0-9\.\_\-\/:\;\,\!\"\$\%\&\(\)\{\}\?\@\^\#\\\+\*\~\>\<\|\s\t]+/ 
> should be enough ... perhaps i've missed some also needed
> chars.

Well, this regex isn't grounded either to the beginning or the end, so it's possible to get bad things past it. It also 
doesn't check the length of data, which I feel is a good thing, to avoid buffer overflows.

A better regex would be:

^[-_.:;.!A-Za-z0-9\s]{1,100}$

The set of allowed characters will vary depending on the circumstances, what country the users are in and so on.

// Ulf Harnhammar
   kses - PHP HTML/XHTML filter
   http://sourceforge.net/projects/kses

-- 
___________________________________________________
OperaMail free e-mail - http://www.operamail.com
OperaMail Premium - 28MB, POP3, more! US$29.99/year

Powered by Outblaze