Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
My Security function:
public function clean(&$value){
if (ini_get('magic_quotes_gpc')) $value = stripslashes($value);
$value = mysql_real_escape_string($value);
}
4 replies to this topic
#1
Posted 03 December 2008 - 04:09 PM
mikelbring
-
- Members
-
- 118 posts
Programmer
I have read a few different places that doing mysql_real_escape_string is not all that safe. I am wondering what are more practices I can take to make my code secure from MySQL or other attacks.
My Security function:
My Security function:
Realize the Web Web services and design.
Back to top|
|
|
#2
Guest_Jordan_*
Posted 03 December 2008 - 05:11 PM
Guest_Jordan_*
Guest_Jordan_*
-
- Guests
mysql_real_escape_string is probably the safest way to cleanse tainted data directed at a MySQL database.
#3
Posted 03 December 2008 - 05:27 PM
mikelbring
-
- Members
-
- 118 posts
Programmer
Well these are the 2 articles I looked at
Codex Securitatis » The Curse of Magic Quotes
and
[The Unexpected SQL Injection] Web Security Articles - Web Application Security Consortium
Codex Securitatis » The Curse of Magic Quotes
and
[The Unexpected SQL Injection] Web Security Articles - Web Application Security Consortium
Realize the Web Web services and design.
#4
Guest_Jordan_*
Posted 03 December 2008 - 06:56 PM
Guest_Jordan_*
Guest_Jordan_*
-
- Guests
The first article (excellent read) doesn't say anything bad against mysql_real_escape_string directly. It does state that if you escape all post/get quotes you can mess up data. Basically, you should only use mysql_real_escape_string at data aimed for mysql (and if you are not using mysql you shouldn't use this unless you are willing to make a DB connection).
For article #2 I didn't read the whole thing but skipped directly to section #3 which states:
It is basically recommending that you need to escape all strings aimed at SQL to prevent SQL injection.
For article #2 I didn't read the whole thing but skipped directly to section #3 which states:
Quote
The well known remedy to that is to escape all variables that will be included in the dynamic query with mysql_real_escape_string(). Example 2 shows that the same attacks no longer work.
It is basically recommending that you need to escape all strings aimed at SQL to prevent SQL injection.
#5
Posted 03 December 2008 - 09:17 PM
John
-
- Moderators
-
- 6,321 posts
Writes binary right handed and hex left handed
another method that should be used in conjunction with escaping is to use regular expressions to make sure the data that goes into the database is the data you expect
Posted via CodeCall Mobile
Posted via CodeCall Mobile
