mysql_real_escape_string

[mbrown]

Is mysql_real_escape_string the only thing i should use to prevent sql injection when i am validating a log in like the following

 

$username = mysql_real_escape_string($_POST['username'];
$password = mysql_real_escape_string($_POST['password'];

 

what else can i do?

[jackpf]

Pretty much.

 

However, you should also use htmlspecialchars() or strip_tags() where you don't want people to use html, such as your register form, or update profiles or anything like that.

[mbrown]

those can be used like mysql_real_escape_string?

 

you mean the register validation page correct?

 

can you provide me an example or two if my first question is wrong?

[cooldude832]

no it is not the only thing

 

 

Google good injection prevention techniques as there are plenty of resources the key is you need to look at a few things

 

1) What is the garbage comming in?  What format what format should it be how can it come in wrong

2) Where is the garbage in getting stored (Update or Insert here)

3) When the garbage is commin out how is it being using (echo/print integer modification eval)

 

 

[John_S]

Hey there,

 

Hmm I would also suggest using htmlspecialchars(), personally I always use a function:

<?php
function db_protect($string) {
  return htmlspecialchars(mysql_real_escape_string($string));
}
?>

 

But you have to think about where will the data be sent from, what format will it come in and what will it be used for.

[redarrow]

If you valadate the form information correctly, then use mysql_real_escape_string,

dont see any issues.

 

valadate the form info with preg_match(); function.