SQL injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

SQL injection

Post by Luke »

Well this relates to the ol' SQL injection topic. I am just wondering this...

If I wrap everything submitted from the user in the following, will this be pretty secure from injection?

Code: Select all

strip_tags(mysql_real_escape_string($dirtydirtyinput))
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

just the mysql_real_escape_string() should be sufficient.
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Post by Nathaniel »

and single quotes around your variable... mysql_query("... SET foo = '$escaped_string'");
Post Reply