mysql_real_escape_string() Question

[Mystixs]

Ok, I have done some research on mysql_real_escape_string() but I was wandering. Do I only use it on POST and GET commands? If not what all do I use it on? And if I use only mysql_real_escape_string() will my website be safe against SQL injections?Thanks,-Ryuujin

[justsomeguy]

That function protects against SQL injection by escaping characters that may cause a problem. It is only effective for text data, not numeric data. In addition to $_GET and $_POST, you should also use it with $_COOKIE, because the user can change those values. You are trying to protect yourself against malicious user-submitted data. Like I said, this function is only effective for text data because those are the characters it escapes (specifically, quotes). If you want to sanitize numeric data, use either the intval or floatval functions to cast the value to a number and remove any SQL code.

[Mystixs]

So I need to use mysql_real_escape_string and intval, and my website will be protected against SQL Injections. Are there any further security stuff I should do?Also, any helpful links?

[justsomeguy]

Check this page for information about SQL injection vulnerabilities:http://en.wikipedia.org/wiki/Sql_injectionThe two vulnerabilities I mentioned are listed as "Incorrectly filtered escape characters" and "Incorrect type handling". There are several links on the bottom of the page for more information.

[Matpatnik]

is this will do the same protection as mysql_real_escape_string()?

if (!eregi("^[a-z]+([a-z-])$", $to_scan)) {	die ("You can only write letters (a-z) and dash (-)");}

[justsomeguy]

Not really the same protection, you are excluding all kinds of characters like !@#$ etc that may be valid data. mysql_real_escape_string will only escape quotes, you can use your code if you are just trying to limit the field to lowercase letters.