I'm working on a site where contents pages are handled with mod_rewrite
and I'm trying to make the URL managed with mod_rewrite
protected from SQL injections
with some char restriction, because users can create pages contents like this:
http://site.com/content-type/Page-created-by-user
My doubts come when they insert something like:
http://site.com/architect/Giovanni+Dall'Agata
I need to insert '
char because I can have names like this for example of famous architects, but I don't know if I can keep data safe and how prevent SQL injections
with this character.
Should I do something particular to prevent attacks?
I'm using PDO class
in PHP
like this:
$architect = strip_tags (trim ($_REQUEST["architect"]));
// pdo class etc..
$pdo_stmt->bindParam (":arch", $architect, PDO::PARAM_STR);
// and the other code here...
Users can't create pages with these chars: < > / \ * ? =
should I ban '
and "
too?
Or should I permit only one of '
and "
chars or can I use them together and keep server safe?