Page 2 of 2
Re: General security and sql injection
Posted: Sat Jun 27, 2009 3:51 pm
by spartan7
Ok, so I apply mysql_real_escape_string to variables that are to go into the database, and if this escaped variable is placed between quotes in the query it will be safe.
Second, when using htmlspecialchars I should use that on output, when echo-ing a result from the database and not for entering it. Also, this variable must be between tags, and not inside tags and it will be safe.
Am I getting it now?

Re: General security and sql injection
Posted: Sat Jun 27, 2009 4:17 pm
by kaisellgren
You will notice that security is vicious and is a huge area that plays a big role in your applications and if
spartan7 wrote:Am I getting it now?

that question refers to security in general, then you probably still have lots to learn about. What you understood now will eliminate most of the security issues, but not all.
Now that you are interested in this subject, I would recommend reading a book, because that would open your mind a lot and help you to build secure applications.
No application is completely secure, and I am sure you will make plenty of mistakes that will teach you as the time goes on. On the top of all, remember to be sufficiently paranoid and not to trust anything (especially do not trust data!).
Re: General security and sql injection
Posted: Fri Jul 10, 2009 6:15 pm
by zareef
one basic note for the users who are planning to use mysql_real_escape_string on all type of input from users (like $_GET,$_POST), it handles the new line character in a different way ... all of your \n (new line character ) will be translated into the literal \n (slash N) which may create some problem in some situations like sending emails.
This scenario normally comes with old applications where you don't know how data is flowing from page to page
( Some people still use the hidden field to transform the data from one page to another then finally insert into the database or use it for some other operation )
Re: General security and sql injection
Posted: Sat Jul 11, 2009 2:12 am
by kaisellgren
zareef wrote:one basic note for the users who are planning to use mysql_real_escape_string on all type of input from users (like $_GET,$_POST), it handles the new line character in a different way ... all of your \n (new line character ) will be translated into the literal \n (slash N) which may create some problem in some situations like sending emails.
Yeah. Sometimes I wonder why it is so hard for people to understand a simple principle: escape if you need to escape... otherwise, don't escape. If some data goes to a database, escape with mysql_real_escape_string() (or with some equivalent - or use prepared statements). Using it for other purposes will probably just corrupt data.