I have read a few different places that doing mysql_real_escape_string is not all that safe. I am wondering what are more practices I can take to make my code secure from MySQL or other attacks.
My Security function:
Code:public function clean(&$value){
if (ini_get('magic_quotes_gpc')) $value = stripslashes($value);
$value = mysql_real_escape_string($value);
}
Realize the Web Web services and design.
mysql_real_escape_string is probably the safest way to cleanse tainted data directed at a MySQL database.
Well these are the 2 articles I looked at
Codex Securitatis ยป The Curse of Magic Quotes
and
[The Unexpected SQL Injection] Web Security Articles - Web Application Security Consortium
Realize the Web Web services and design.
The first article (excellent read) doesn't say anything bad against mysql_real_escape_string directly. It does state that if you escape all post/get quotes you can mess up data. Basically, you should only use mysql_real_escape_string at data aimed for mysql (and if you are not using mysql you shouldn't use this unless you are willing to make a DB connection).
For article #2 I didn't read the whole thing but skipped directly to section #3 which states:
It is basically recommending that you need to escape all strings aimed at SQL to prevent SQL injection.The well known remedy to that is to escape all variables that will be included in the dynamic query with mysql_real_escape_string(). Example 2 shows that the same attacks no longer work.
another method that should be used in conjunction with escaping is to use regular expressions to make sure the data that goes into the database is the data you expect
Posted via CodeCall Mobile
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
| vBulletin v4.0.2 ©2010, Jelsoft Enterprises Ltd.
|
Copyright 2005-2010 |
LinkBack URL
About LinkBacks
Reply With Quote
Bookmarks
Algorithms and Data Structures
Java tutorials
Algorithms Forum