Public text input & MySQL: a decent start re: security?
Posted: Mon Jul 27, 2009 1:17 am
Hello all
First post! I am a relative newbie to the more advanced areas of PHP, and I hope as I get stronger to be able to contribute here in useful ways if I can.
I've been making my first PHP/MySQL application. Long story short, there are a couple of ways that public users can input data which is written to my database -- registration (simple form with personal info), and searching for other registered users.
I have been reading up on the potentials for SQL injection attacks. My plan has been to apply the following rules to my public's inputted data:
1. 'Whitelist' all data, restricting possible input based only on what I allow, rather than what I don't;
2. Use a form of escape for any potential data input which is not desired. Thinking of using mysql_real_escape_string();
Given the use of 2, I had then thought it a potential time-saver to produce a function, e.g. safe(); which:
a. Detects for magic_quotes_gpc and strips slashes if on (as per guidance on PHP manual online to avoid dulicating escape);
b. applies mysql_real_escape_string() to the data;
c. returns the data
so that there is minimal repetition of coding but maximum security.
Do the above steps sound like a prudent approach? Forgive my ignorance, but I'd be very interested in hearing if this is overlooking something obvious, or sounds like a pointless exercise!
Thank you in advance
John
First post! I am a relative newbie to the more advanced areas of PHP, and I hope as I get stronger to be able to contribute here in useful ways if I can.
I've been making my first PHP/MySQL application. Long story short, there are a couple of ways that public users can input data which is written to my database -- registration (simple form with personal info), and searching for other registered users.
I have been reading up on the potentials for SQL injection attacks. My plan has been to apply the following rules to my public's inputted data:
1. 'Whitelist' all data, restricting possible input based only on what I allow, rather than what I don't;
2. Use a form of escape for any potential data input which is not desired. Thinking of using mysql_real_escape_string();
Given the use of 2, I had then thought it a potential time-saver to produce a function, e.g. safe(); which:
a. Detects for magic_quotes_gpc and strips slashes if on (as per guidance on PHP manual online to avoid dulicating escape);
b. applies mysql_real_escape_string() to the data;
c. returns the data
so that there is minimal repetition of coding but maximum security.
Do the above steps sound like a prudent approach? Forgive my ignorance, but I'd be very interested in hearing if this is overlooking something obvious, or sounds like a pointless exercise!
Thank you in advance
John