Page 1 of 1

afraid of SQL injection attacks

Posted: Thu Nov 13, 2008 10:52 am
by mijreed
New to forum and need some help.

Working on a website (personal) in PHP and MySQL and i'm afraid of SQL injection attacks. My site requires a lot of user interaction and uses a lot of SQL and relational databasing. I don't want to get too far down the road and realize I screwed up somewhere. Here's my questions...

1) Could someone give me an example of a strongly typed query versus and vunerable one?

2) How well do the mysql_real_escape_string() work and mysql_escape_string() the protect against unwanted commands? Could I just use that to sanitize my data?

3) Or should I used PDOs to query? I'm not too familiar with PDOs but from what I've read, there quite a bit of debate whether they speed up or slow down your query time.

4) How exactly do PDOs protect you against a SQL injection attack?

Re: afraid of SQL injection attacks

Posted: Thu Nov 13, 2008 12:40 pm
by josh
mijreed wrote:Working on a website (personal) in PHP and MySQL and i'm afraid of SQL injection attacks.
if its a personal site and you make backups I don't see why you should be scared
mijreed wrote:1) Could someone give me an example of a strongly typed query versus and vunerable one?
not sure what you mean by strongly typed query
mijreed wrote:2) How well do the mysql_real_escape_string() work and mysql_escape_string() the protect against unwanted commands? Could I just use that to sanitize my data?
well they do what they are supposed to do, but just using them doesn't stop you from making your own logic errors.