[SOLVED] Am a newbie, trying to understand mysql_real_escape_string(), and basic security

[mac007]

Hi, all:

 

Am a newbie, trying to understand mysql_real_escape_string(), and basic security issues; I am just beginning to try to implement sound security measures as far as injections, so I have the following:

 

<CODE>

 

<?php

 

if (isset($_POST['submit'])) {

$con = mysql_connect("connection", "user", "password");

mysql_select_db("database", $con);

$stringNew = mysql_real_escape_string ($_POST['subject']);

mysql_query("INSERT INTO NOTEPAD (subject) VALUES ('$stringNew')") or die("not inserted!");

 

}

?>

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

<title>Untitled Document</title>

</head>

 

<body>

 

<form action="" method="post">

 

 

  <p>

    <input name="subject" type="text" id="subject" value="<?php if (isset($_POST['submit'])) {echo htmlentities ($_POST['subject']); } ?>"/>

  </p>

  <p>

    <label>

    <input type="submit" name="submit" id="submit" value="Submit" />

    </label>

</p>

</form>

 

</body>

</html>

 

</CODE>

 

 

I disabled my server's magic-quote to be off, so I am obvoiusly taking care of it thru the mysql_real_escape_string() function. It seems to work just fine, but was wandering a few things; in the manual it says this function escapes the following characters:

 

\x00

\n

\r

\

'

"

\x1a

 

I get what the ', ", \n, and \r means; but what characters do the \x00 and the \x1a represent?? Also, It seems to  me it doesnt escape key programming characters like the <, >, or ?; do I need to use other functions along with it? besides the mysql_real_escape_string() one...??

 

appreciate any feedback...

[waynew]

Hi,

 

When inserting data into your queries, mysql_real_escape_string will do just fine.

When outputting data that you don't trust (does it contain JavaScript etc?), use htmlentities()

[Mchl]

< > ? are not posing an SQL injection threat and as such are not escaped.

\x00 is NUL (empty character) and \x1A is substitute charactrer

 

Read more about those at:

http://en.wikipedia.org/wiki/ASCII

 

[mac007]

Thanks Wayne, Mchl... thanks for the explanation... so my setup is basically right? and just by using the mysql_real_escape_string() function I pretty much take care of any possible injections??

[waynew]

Thanks Wayne, Mchl... thanks for the explanation... so my setup is basically right? and just by using the mysql_real_escape_string() function I pretty much take care of any possible injections??

 

You're safe from I'd say around 99% of SQL injections. If you really want to be secure, I suggest you use prepared statements using the mysqli extension or the PDO.

[mac007]

OK, got it... thanks for your feedback guys!