Page 1 of 1

Basic security for form action

Posted: Mon Aug 25, 2008 9:10 pm
by jeaux
So I started in the regex forum and was redirected here. Basically I want to insure that what is entered in a form is checked against sql exploits.

Here's a link to the other post that should give history for what I'm asking.
viewtopic.php?f=38&t=87169

Does mysql_real_escape_string protect against hacks to insure that the data entered can not destroy, delete preexisting data or compromise the DB in any way?

Thank you for your time,
Joe

Re: Basic security for form action

Posted: Tue Aug 26, 2008 3:08 am
by Mordred
It is neccessary, but not sufficient. Read my paper:
http://www.logris.org/security/the-unex ... -injection

What you are doing with regexps (use preg_* btw, it's way faster) is called validation, it's a part of the busyness logic of the application (what is a valid name according to our rules, how old should you be according to our rules). Escaping data before putting it in the database is mandatory and independent of what validation steps you have done before.