afraid of SQL injection attacks

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mijreed
Forum Newbie
Posts: 4
Joined: Thu Nov 13, 2008 10:16 am

afraid of SQL injection attacks

Post by mijreed »

New to forum and need some help.

Working on a website (personal) in PHP and MySQL and i'm afraid of SQL injection attacks. My site requires a lot of user interaction and uses a lot of SQL and relational databasing. I don't want to get too far down the road and realize I screwed up somewhere. Here's my questions...

1) Could someone give me an example of a strongly typed query versus and vunerable one?

2) How well do the mysql_real_escape_string() work and mysql_escape_string() the protect against unwanted commands? Could I just use that to sanitize my data?

3) Or should I used PDOs to query? I'm not too familiar with PDOs but from what I've read, there quite a bit of debate whether they speed up or slow down your query time.

4) How exactly do PDOs protect you against a SQL injection attack?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: afraid of SQL injection attacks

Post by josh »

mijreed wrote:Working on a website (personal) in PHP and MySQL and i'm afraid of SQL injection attacks.
if its a personal site and you make backups I don't see why you should be scared
mijreed wrote:1) Could someone give me an example of a strongly typed query versus and vunerable one?
not sure what you mean by strongly typed query
mijreed wrote:2) How well do the mysql_real_escape_string() work and mysql_escape_string() the protect against unwanted commands? Could I just use that to sanitize my data?
well they do what they are supposed to do, but just using them doesn't stop you from making your own logic errors.
Post Reply