Mystixs Posted May 30, 2007 Share Posted May 30, 2007 Ok, I have done some research on mysql_real_escape_string() but I was wandering. Do I only use it on POST and GET commands? If not what all do I use it on? And if I use only mysql_real_escape_string() will my website be safe against SQL injections?Thanks,-Ryuujin Link to comment Share on other sites More sharing options...
justsomeguy Posted May 30, 2007 Share Posted May 30, 2007 That function protects against SQL injection by escaping characters that may cause a problem. It is only effective for text data, not numeric data. In addition to $_GET and $_POST, you should also use it with $_COOKIE, because the user can change those values. You are trying to protect yourself against malicious user-submitted data. Like I said, this function is only effective for text data because those are the characters it escapes (specifically, quotes). If you want to sanitize numeric data, use either the intval or floatval functions to cast the value to a number and remove any SQL code. Link to comment Share on other sites More sharing options...
Mystixs Posted May 30, 2007 Author Share Posted May 30, 2007 So I need to use mysql_real_escape_string and intval, and my website will be protected against SQL Injections. Are there any further security stuff I should do?Also, any helpful links? Link to comment Share on other sites More sharing options...
justsomeguy Posted May 30, 2007 Share Posted May 30, 2007 Check this page for information about SQL injection vulnerabilities:http://en.wikipedia.org/wiki/Sql_injectionThe two vulnerabilities I mentioned are listed as "Incorrectly filtered escape characters" and "Incorrect type handling". There are several links on the bottom of the page for more information. Link to comment Share on other sites More sharing options...
Matpatnik Posted May 31, 2007 Share Posted May 31, 2007 is this will do the same protection as mysql_real_escape_string()? if (!eregi("^[a-z]+([a-z-])$", $to_scan)) { die ("You can only write letters (a-z) and dash (-)");} Link to comment Share on other sites More sharing options...
justsomeguy Posted May 31, 2007 Share Posted May 31, 2007 Not really the same protection, you are excluding all kinds of characters like !@#$ etc that may be valid data. mysql_real_escape_string will only escape quotes, you can use your code if you are just trying to limit the field to lowercase letters. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.