Page 1 of 1

How secure is this code??

Posted: Fri Jun 12, 2009 4:10 am
by vtvstv
Hi I am using the following code to prevent people from attacking through the input boxes via SQL injection, could you tell me if this is enough or am I still vulnerable.

Code: Select all

$username = addslashes($_REQUEST['username']);
$username = strip_tags($username);
$username = trim($username);
$password = addslashes($_REQUEST['password']);
$password = strip_tags($password);
$password = trim($password);
$username and $password are called into an sql SELECT command, so I don't want the data collected from the input boxes to allow for addition to the SQL statement.

Any thoughts will be greatly appreciated.

Kai

Re: How secure is this code??

Posted: Fri Jun 12, 2009 4:22 am
by Benjamin
:arrow: Moved to PHP - Security

Re: How secure is this code??

Posted: Fri Jun 12, 2009 6:09 am
by kaisellgren
Is your name Kai, too? Cool. :)

Just remove all that crap and use the database specific escaping function. I assume you are using MySQL, so, something like:

Code: Select all

$username = mysql_real_escape_string($_POST['username'],$link);
mysql_query("SELECT a FROM b WHERE c = '$username'");
Forget strip_tags(), it does not help you in terms of security. Maybe in some really rare cases. The same applies to trim(). Forget it. Addslashes() is just a general way to escape data, but it is not sufficient and the database specific function must be used.

Also, remember to enclose values within quotes. For example, in the above code I enclosed the $username value within single quotes. This is necessary.

Re: How secure is this code??

Posted: Fri Jun 19, 2009 4:02 pm
by Darhazer
The appropriate place to escape variables is not where you are initializing it (getting the value from the request), but where you use them, because you can use the same variable for DB query and for output and you need to different escapes, to prevent both SQL injection and XSS