Hi, I'm a bit new to SQL and this is my question...
Do I need to filter user input that has no connection with SQL database, e.g.

$x=$_GET;

if ($x == 'help4') {
print "This is help page no4.";
<some mysql queries goes here>
}

Member Avatar for diafol

Always clean your input. mysql_real_escape_string() is the standard.
You can use striptags, htmentities etc to further use, but you can use that on output.

Thank you for reply. But is it possible to harm my page through this type of input?

If you have not connected to your database, and as long as nobody knows the password to it/ the password is not easily guessed, it can't harm the database. But, mysql_real_escape_string() is easily used and good practice.

Member Avatar for diafol

You still need to protect the output. You could store via DB, so ensure that your output doesn't contain <script> tags.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.