I'm trying to figure out how to prevent sqlinjection, I wrote this basic function : function
antiInjectie($inputfromform){
$temp = str_replace("'", "`",$inputfromform);
$temp = str_replace("--", "~~",$temp);
return htmlentitites($temp);
}
However someone told me to also take hex values in consideration, but how do I do this?
Update I'm stuck with MDB2 and pgsql
Bobby-Tables has a good guide to preventing SQL injection.
In short: Don't twiddle with the input yourself, use database API methods that allow bound parameters.