Securing Varables for SQL

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
reecec
Forum Contributor
Posts: 218
Joined: Sun Apr 02, 2006 7:12 am

Securing Varables for SQL

Post by reecec »

hi all,

just wondering on what else i could do to protect my scripts


i have this when adding and checking users when logingin/registering is there anymore I could do



Code: Select all

// strip away any dangerous tags
$user=strip_tags($user);
$pass=strip_tags($pass);


// remove spaces from variables
$user=str_replace(" ","",$user);
$pass=str_replace(" ","",$pass);


// remove escaped spaces
$user=str_replace("%20","",$user);
$pass=str_replace("%20","",$pass);

// add slashes to stop hacking
$user=addslashes($user);
$pass=addslashes($pass);

// hash users password for security (32 chars random - md5)
$pass=md5($pass);


should i also be using mysql_escape_string


thanks reece
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Code: Select all

// strip away any dangerous tags
// (my)sql does not care about
$user=strip_tags($user);
$pass=strip_tags($pass);


// remove spaces from variables
// (my)sql does not care about
$user=str_replace(" ","",$user);
$pass=str_replace(" ","",$pass);


// remove escaped spaces
// (my)sql does not care about
$user=str_replace("%20","",$user);
$pass=str_replace("%20","",$pass);

// add slashes to stop hacking
// might not be sufficient for (my)sql
$user=addslashes($user);
$pass=addslashes($pass);

// hash users password for security (32 chars random - md5)
// The characters returned by php 's md5() are safe for use in sql - but you cannot md5 everything 
$pass=md5($pass);
reecec wrote:should i also be using mysql_escape_string
even better: mysql_real_escape_string
reecec
Forum Contributor
Posts: 218
Joined: Sun Apr 02, 2006 7:12 am

Post by reecec »

thanks for your reply

so when you say mysql doesnt care about it does this mean it doesnt do anything.


what would be the best way to use the mysql_escape_string with my $user and $pass vars.

like this

Code: Select all

$user1=mysql_real_escape_string($user);
$pass1=mysql_real_escape_string($pass);
is this right ?

yea md5 wouldnt be suitable for everyting as i wouldnt be able to see my data

thanks again reece
Post Reply