Before you check your database for the user/password pair, create a function
that takes the pair handed to you and run ereg on it to check for bad
characters.  If there are bad characters, return false and don't run the
query on the database.  If the characters are acceptable, return true and
run the query.

Adam Lang
Systems Engineer
Rutgers Casualty Insurance Company
http://www.rutgersinsurance.com
----- Original Message -----
From: "Jefferis Peterson" <jefferis@p...>
To: "professional php" <pro_php@p...>
Sent: Friday, May 25, 2001 1:16 PM
Subject: [pro_php] safe inputs from a form


> I'm putting together a password userid form which will require and exact
> match, I believe to work, but my concern would be that someone might slip
> bad code into the password access. So how to you protect without messing
> up the password names the client provides? Can I use htmlspecialchars?
> The passwords should be letters and numbers with perhaps a _
>
>  >        $sql=sprintf("select userid from users where username=\"%s\" and
> >pwrd=\"%s\"
> >and active=1",$uid,$pwd);
> >        $res=mysql_query($sql,$con);
> >
> >        if ((mysql_num_rows($res)!=0)&&($uid!=""))
>
>
>
>
> --
> Jefferis Kent Peterson
> www.PetersonSales.net
> Flash, Web Design and Marketing
> ICQ 19112253
>
>