I have an website and really want to prevent all SQL injections BUT allow emails in a string that must go into the database as text. How can I do this?
@roscorAug 31.2008 — #Firstly ensure you have you mysql database correctly set up. I presume you are getting the email address from a form, if so use
preg match perhaps something like the following, n.b. there are many other examples out there, [code=php]if(preg_match('/^[w]+[-w._]*@[w]+[-w]+(.[w]+[-w]+)*.[w]{2,6}$/ ', $_POST['email'])){ $email = $_POST['email']; } else { $error1 .= "Required!"; $vaild1 = "Email not valid format!"; $errcount++;
[code=php] // contains databse connect info include("dbconninfo.php");
//connect to database mysql_connect($host,$username,$password); @mysql_select_db($database) or die(mysql_error());
//Insert to the databse $query = "INSERT INTO mytable VALUES ('','$email'"; mysql_query($query);
//use mysql real escape string after the connection is made $email = mysql_real_escape_string($_POST['email']); [/code] then isn the form remember set the action to parse the page then echo out any errors from the preg_match with the error1 [code=php] <!--this form uses a file upload hence the multipart/form-data other wise omit the enctype altogether -->