Basic security for form action

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jeaux
Forum Commoner
Posts: 25
Joined: Sun Aug 24, 2008 5:11 pm

Basic security for form action

Post by jeaux »

So I started in the regex forum and was redirected here. Basically I want to insure that what is entered in a form is checked against sql exploits.

Here's a link to the other post that should give history for what I'm asking.
viewtopic.php?f=38&t=87169

Does mysql_real_escape_string protect against hacks to insure that the data entered can not destroy, delete preexisting data or compromise the DB in any way?

Thank you for your time,
Joe
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Basic security for form action

Post by Mordred »

It is neccessary, but not sufficient. Read my paper:
http://www.logris.org/security/the-unex ... -injection

What you are doing with regexps (use preg_* btw, it's way faster) is called validation, it's a part of the busyness logic of the application (what is a valid name according to our rules, how old should you be according to our rules). Escaping data before putting it in the database is mandatory and independent of what validation steps you have done before.
Post Reply