ArizonaJohn Posted May 29, 2009 Share Posted May 29, 2009 Hello, Is this enough to protect my site from SQL injection: On my main page, I have this form: <div class="searchbox"> <form action="tsearch18.php" method="post"> <label>Enter Topic: <input type="text" name="find" size="55"/> <input type="hidden" name="searching" value="yes" /> <input type="submit" name="search" value="Search" /> </label> </form> </div> Then, on tsearch18.php, I have this: mysql_connect("mysqlv3", "username", "password") or die(mysql_error()); mysql_select_db("sand2") or die(mysql_error()); // We preform a bit of filtering $find = strip_tags($find); $find = trim ($find); $find = strtolower($find); $find = mysql_real_escape_string($find); I was hoping that the "mysql_real_escape_string" would protect me. Am I right? Thanks, John Quote Link to comment https://forums.phpfreaks.com/topic/160110-hey-is-this-enough-to-stop-sql-injection/ Share on other sites More sharing options...
Absorbator Posted May 29, 2009 Share Posted May 29, 2009 I thought addslashes() works fine... Quote Link to comment https://forums.phpfreaks.com/topic/160110-hey-is-this-enough-to-stop-sql-injection/#findComment-844735 Share on other sites More sharing options...
HaLo2FrEeEk Posted May 29, 2009 Share Posted May 29, 2009 All you should need is the mysql_real_escape_string, it includes pretty much all of the injection protections that you're using all in one. Quote Link to comment https://forums.phpfreaks.com/topic/160110-hey-is-this-enough-to-stop-sql-injection/#findComment-844736 Share on other sites More sharing options...
GingerRobot Posted May 29, 2009 Share Posted May 29, 2009 All you should need is the mysql_real_escape_string, it includes pretty much all of the injection protections that you're using all in one. No, it doesn't. It is, however, sufficient to prevent SQL injection. To quote from my response to a similar topic recently: It's overkill. You only need to be using mysql_real_escape_string to prevent the injection. That is plenty sufficient. You might like to use some of the other functions when you output the data, but probably not before. As a general rule of thumb, you should be looking to preserve the original text as much as possible in the database -- for the simple reason that the specifications might change. You might find that, at some point in the future, you really did want any html tags left in, for example. Quote Link to comment https://forums.phpfreaks.com/topic/160110-hey-is-this-enough-to-stop-sql-injection/#findComment-844738 Share on other sites More sharing options...
ArizonaJohn Posted May 29, 2009 Author Share Posted May 29, 2009 OK, thanks. I'm fairly unfamiliar with how to safeguard my site so I appreciate the responses. Quote Link to comment https://forums.phpfreaks.com/topic/160110-hey-is-this-enough-to-stop-sql-injection/#findComment-844745 Share on other sites More sharing options...
HaLo2FrEeEk Posted May 31, 2009 Share Posted May 31, 2009 The first thing you should do before putting any of this sort of thing on your site then is to read up on SQL injection. How it works, most importantly, and how to prevent it. Don't leave yourself open for even a small period of time. Quote Link to comment https://forums.phpfreaks.com/topic/160110-hey-is-this-enough-to-stop-sql-injection/#findComment-846453 Share on other sites More sharing options...
darkfreaks Posted May 31, 2009 Share Posted May 31, 2009 i would suggest reading up on MYSQLI/PDO prepared statements this will pretty much weed out SQL injection along with mysql_real_escape_string() Quote Link to comment https://forums.phpfreaks.com/topic/160110-hey-is-this-enough-to-stop-sql-injection/#findComment-846469 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.