Preventing posting of data with Tamper Data

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Preventing posting of data with Tamper Data

Post by Mordred »

I think you should read this: http://www.logris.org/security/the-unex ... -injection
This code:

Code: Select all

$query = 'UPDATE mytable SET username = "'.mysql_real_escape_string($_POST['your_username']).'" WHERE id = '.mysql_real_escape_string($_POST['id'])
is NOT protected against SQL injection. Always use proper quoting, otherwise mysql_real_escape_string doesn't work.
Post Reply