Prevent SQL injection with regular expression?

Question

Possible Duplicate:
Best way to prevent SQL Injection in PHP

I wanted to ask you do i need to use something else from the code bellow:

         if(isset($_POST['submit'])) {
         $username = $_POST['username'];
         $password = $_POST['password'];
         $validate = '/^[a-z]+[a-z0-9]*[.-_]*$/i';
               if ((preg_match($validate , $username)==true) && (preg_match($validate ,                                                                                     $password)==true)) {

                        some query...   
               } else {
                        echo "You've used some characters that aren't allowed.";
               }
       }else {
               echo 'Not logged!';  
       }

Is this regular expression good to save me from SQL injection?Or can you give me any other suggestions to make my login form good enought!

It is. But if you want to be lazy, then rather eschew cumbersome database [escaping completely](http://stackoverflow.com/questions/3659898/php-pdo-use-simple-prepared-statement-with-query-return-affected-rows). — mario, Jun 04 '12 at 18:54

Sebas · Answer 1 · 2012-06-04T19:18:56.147

3

use mysql_real_escape_string if your driver is still the older one, or prepared statements with parameters binding if you are using newer pdo drivers, or mysqli_real_escape_string from mysqli.

http://php.net/manual/en/function.mysql-real-escape-string.php

http://php.net/manual/en/pdo.prepared-statements.php

http://php.net/manual/en/mysqli.real-escape-string.php

edited Jun 04 '12 at 19:18

answered Jun 04 '12 at 18:47

Sebas

21,192
9
55
109

And what about wrong sql queries to the databse? Even with the prepared statements they will be send that isn't good for server productivity. – Paul Basenko Jun 04 '18 at 14:42

Prevent SQL injection with regular expression?

1 Answers1