Protecting against SQL injection (PHP/MySQL)
Posted: Sun Oct 07, 2007 10:13 pm
I was reading the Wikipedia article for SQL injection (link). The article recommends that you use the function "mysql_real_escape_string()" in situations like this (example pulled from article):
My application makes many, many user data calls very similar to that (SELECT * FROM users WHERE username='$username') without using that protection. After skimming that article, it seems that I must replace all of my "WHERE username='$username'" queries with the safer method above. Like I said, I have many, many calls like that, so replacing them will take a while, so I want to make sure it's worth the effort before I start going through and changing it all.. so just looking for a second opinion here.
So my question, which I assume is a yes: is it worth the effort to go through and change all of this? Or is there a different/better alternative? Or (highly, highly doubtful) is it something I need not worry about?
Thanks in advance, guys.
edit: also, should I do this with ALL queries which use a user-submitted value (including integers)? I'm assuming so.. boy, this is going to take a long time.. heh.
Code: Select all
$query_result = mysql_query
(
"select * from users where name = '"
.
mysql_real_escape_string($user_name, $dbh)
.
"'"
);So my question, which I assume is a yes: is it worth the effort to go through and change all of this? Or is there a different/better alternative? Or (highly, highly doubtful) is it something I need not worry about?
Thanks in advance, guys.
edit: also, should I do this with ALL queries which use a user-submitted value (including integers)? I'm assuming so.. boy, this is going to take a long time.. heh.