mysql injection protection

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
twilightnights
Forum Newbie
Posts: 3
Joined: Sun Jan 28, 2007 11:38 pm

mysql injection protection

Post by twilightnights »

I've read a few tutorials but I am still confused a bit. To protect from this would this be sufficient? This is when receiving a value from a form. I've read that there is a built in function and that this could interfere, anyone have any clue what I am talking about?

$subanswer= mysql_real_escape_string($_POST['jokeanswer']);
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

mysql_real_escape_string() will only protect your queries against escape character injection attacks. If your query is not properly engineered, there are other attacks that the function will not be able to prevent, so more is needed. Properly validating and verifying the data is as expected is equally important.

magic_quotes_gpc and its siblings fiddle with input values. Your code should be written in such a way that it will work the same, in the end, whether the directives are on or not. get_magic_quotes_gpc() et al can be used in conjunction with stripslashes().
Post Reply