Hi,

Having aquired a basic knowledge of Windows, Apache, MySQL and PHP I would like to make a fourm-like web application. My current implementation is rather basic and will die if you post any characters that can be interpreted as SQL... eg. posting " /c; drop table posts; " would kill the whole thing. There are functions that can 'escape' or 'slash' out dodgy chars, but is there another way?

Also, what is the table definition for the post table for a fourm like this one? I understand it will almost certainly be a relational database with many tables.

I'm using the 'TEXT' datatype to store the actual post content.

Any pointers greatly appreciated.

BRB 1 week.

imo, the best way to learn that would be to download an existing open source forum application (like phpBB) and look at the code how it does stuff.

http://www.phpbb.com/

Prepared statements, either on the DB side or on the language side.
Some kind of abstraction layer, like SQLobject or Hibernate usually has the side-effect of eliminating injection attacks.

Getting the phpbb souce can be both good and bad as the amount of code can be quite overwelming if your not prepared. On the other hand many neat things can be found in he code.

Thanks for the tip Avatar, I did exactly that.

There's quite a lot of code, but it's commented and php is not too nasty (although there's loads I don't know, such as wtf is '@' type variables etc). Now that I've installed phpbb I've lost all motication to make anything of my own!