mysql_real_escape_string

[mikelbring]

I have read a few different places that doing mysql_real_escape_string is not all that safe. I am wondering what are more practices I can take to make my code secure from MySQL or other attacks.

My Security function:

PHP Code:

public function clean(&$value){
    
        if (ini_get('magic_quotes_gpc')) $value = stripslashes($value); 
        
        $value = mysql_real_escape_string($value);
    
    } 


[Jordan]

mysql_real_escape_string is probably the safest way to cleanse tainted data directed at a MySQL database.

[mikelbring]

Well these are the 2 articles I looked at
Codex Securitatis » The Curse of Magic Quotes

and

[The Unexpected SQL Injection] Web Security Articles - Web Application Security Consortium

[Jordan]

The first article (excellent read) doesn't say anything bad against mysql_real_escape_string directly. It does state that if you escape all post/get quotes you can mess up data. Basically, you should only use mysql_real_escape_string at data aimed for mysql (and if you are not using mysql you shouldn't use this unless you are willing to make a DB connection).

For article #2 I didn't read the whole thing but skipped directly to section #3 which states:

Quote:

The well known remedy to that is to escape all variables that will be included in the dynamic query with mysql_real_escape_string(). Example 2 shows that the same attacks no longer work.

It is basically recommending that you need to escape all strings aimed at SQL to prevent SQL injection.

[John]

another method that should be used in conjunction with escaping is to use regular expressions to make sure the data that goes into the database is the data you expect
Posted via CodeCall Mobile