I'm trying to figure out a good easy way to avoid SQL Injection and so far I've only been able to come up with two ideas:
- Base64 encode the user input (Don't really want to do this)
- Use regex to remove unwanted characters. (Currently using this, not sure if it's 100% safe)
Here is my current code:
<?php
$hash = $_GET['file'];
if (isset($hash))
{
$db = new SQLite3("Files.db");
if ($db != null)
{
$hash = preg_replace('/[^A-Za-z0-9 _.\-+=]/', '_', $hash);
if ($response = $db->query("SELECT [FILE] FROM '$hash'"))
{
echo $response->fetchArray()[0]; // File name is returned if successful.
}
}
}
?>
My question is am I going about this the right way or are there any better ways to do this?