phppostgresqlsql-injectionmdb2

Preventing SQL injection in PHP with MDB2


I'm trying to figure out how to prevent sqlinjection, I wrote this basic function : function

antiInjectie($inputfromform){
    $temp = str_replace("'", "`",$inputfromform);
    $temp = str_replace("--", "~~",$temp);
    return htmlentitites($temp);
}

However someone told me to also take hex values in consideration, but how do I do this?

Update I'm stuck with MDB2 and pgsql


Solution

  • Bobby-Tables has a good guide to preventing SQL injection.

    In short: Don't twiddle with the input yourself, use database API methods that allow bound parameters.