Page 1 of 1

mysql injection protection

Posted: Sun Jan 28, 2007 11:41 pm
by twilightnights
I've read a few tutorials but I am still confused a bit. To protect from this would this be sufficient? This is when receiving a value from a form. I've read that there is a built in function and that this could interfere, anyone have any clue what I am talking about?

$subanswer= mysql_real_escape_string($_POST['jokeanswer']);

Posted: Mon Jan 29, 2007 12:07 am
by feyd
mysql_real_escape_string() will only protect your queries against escape character injection attacks. If your query is not properly engineered, there are other attacks that the function will not be able to prevent, so more is needed. Properly validating and verifying the data is as expected is equally important.

magic_quotes_gpc and its siblings fiddle with input values. Your code should be written in such a way that it will work the same, in the end, whether the directives are on or not. get_magic_quotes_gpc() et al can be used in conjunction with stripslashes().