Just a quick question about sql injections. I know that in order to do one you must enter some mysql code and enter it into a form textbox or somewhere and it would give you back the data. With my website, to protect the data i made it impossible to send the form to the database if the user uses an any '@', ';', or '/' symbols in the textbox, because those are some common symbols used to retrieve the info through injection. Do you think that i'm protected?
Asked
Active
Viewed 28 times
0
-
3That's a horrible approach. It's user-hostile (what if someone wants to use a `;` or a `/` in one of your form fields?) and easy to screw up (like how you forgot `'` and `"` characters). There are industry standard ways of making user input safe like parameterized queries. Use them. – ceejayoz Oct 28 '15 at 01:04
-
3So you don't allow users to enter an email address, or mathematical formulae, or even properly punctuated text..... that won't please your users..... rather than restrict them, why not simply handle this properly with prepared statements/bind variables – Mark Baker Oct 28 '15 at 01:10
-
1Two things: If you insist on using low-level drivers, use **prepared statements** religiously. If you're looking to be more productive as a developer, look at finding a [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) that gives you a solid foundation for building your application. Find one that suits your style and needs and follow the examples and documentation. Most have a large library of community code you can add in with little effort, avoiding the need to reinvent the wheel. – tadman Oct 28 '15 at 01:15