mac007 Posted March 9, 2009 Share Posted March 9, 2009 Hi, all: Am a newbie, trying to understand mysql_real_escape_string(), and basic security issues; I am just beginning to try to implement sound security measures as far as injections, so I have the following: <CODE> <?php if (isset($_POST['submit'])) { $con = mysql_connect("connection", "user", "password"); mysql_select_db("database", $con); $stringNew = mysql_real_escape_string ($_POST['subject']); mysql_query("INSERT INTO NOTEPAD (subject) VALUES ('$stringNew')") or die("not inserted!"); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Untitled Document</title> </head> <body> <form action="" method="post"> <p> <input name="subject" type="text" id="subject" value="<?php if (isset($_POST['submit'])) {echo htmlentities ($_POST['subject']); } ?>"/> </p> <p> <label> <input type="submit" name="submit" id="submit" value="Submit" /> </label> </p> </form> </body> </html> </CODE> I disabled my server's magic-quote to be off, so I am obvoiusly taking care of it thru the mysql_real_escape_string() function. It seems to work just fine, but was wandering a few things; in the manual it says this function escapes the following characters: \x00 \n \r \ ' " \x1a I get what the ', ", \n, and \r means; but what characters do the \x00 and the \x1a represent?? Also, It seems to me it doesnt escape key programming characters like the <, >, or ?; do I need to use other functions along with it? besides the mysql_real_escape_string() one...?? appreciate any feedback... Quote Link to comment Share on other sites More sharing options...
waynew Posted March 9, 2009 Share Posted March 9, 2009 Hi, When inserting data into your queries, mysql_real_escape_string will do just fine. When outputting data that you don't trust (does it contain JavaScript etc?), use htmlentities() Quote Link to comment Share on other sites More sharing options...
Mchl Posted March 9, 2009 Share Posted March 9, 2009 < > ? are not posing an SQL injection threat and as such are not escaped. \x00 is NUL (empty character) and \x1A is substitute charactrer Read more about those at: http://en.wikipedia.org/wiki/ASCII Quote Link to comment Share on other sites More sharing options...
mac007 Posted March 9, 2009 Author Share Posted March 9, 2009 Thanks Wayne, Mchl... thanks for the explanation... so my setup is basically right? and just by using the mysql_real_escape_string() function I pretty much take care of any possible injections?? Quote Link to comment Share on other sites More sharing options...
waynew Posted March 9, 2009 Share Posted March 9, 2009 Thanks Wayne, Mchl... thanks for the explanation... so my setup is basically right? and just by using the mysql_real_escape_string() function I pretty much take care of any possible injections?? You're safe from I'd say around 99% of SQL injections. If you really want to be secure, I suggest you use prepared statements using the mysqli extension or the PDO. Quote Link to comment Share on other sites More sharing options...
mac007 Posted March 9, 2009 Author Share Posted March 9, 2009 OK, got it... thanks for your feedback guys! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.