Preventing SQL injection in PHP with MDB2

Lucas Kauffman picture Lucas Kauffman · Jul 17, 2011 · Viewed 9.8k times · Source

I'm trying to figure out how to prevent sqlinjection, I wrote this basic function : function

antiInjectie($inputfromform){
    $temp = str_replace("'", "`",$inputfromform);
    $temp = str_replace("--", "~~",$temp);
    return htmlentitites($temp);
}

However someone told me to also take hex values in consideration, but how do I do this?

Update I'm stuck with MDB2 and pgsql

Answer

Quentin picture Quentin · Jul 17, 2011

Bobby-Tables has a good guide to preventing SQL injection.

In short: Don't twiddle with the input yourself, use database API methods that allow bound parameters.