05-01-2008, 02:46 PM
|
#8 (permalink)
|
|
Wizard
Join Date: Sep 2007
Posts: 1,299
Thanks: 17
|
Quote:
Originally Posted by delayedinsanity
You can also circumvent the basic sql injections where somebody tries
' OR username=admin --
simply with trim($szUsername, " '-"). Or preg_match("~[A-Za-z0-9_]~", $szString), or... as I said above, the best way, imo, is to not trust just one method of sanitization or validation. Verify that information.
-m
|
There are sometimes valid uses for those letters. You don't want a security method that hurts usability. |
|
|
|