prevent injections

[kevinritt]

I have an admin section for my client to edit his pages using TinyMCE. When he edits and saves changes do I need to use

mysqli_real_escape_string

for my variables like this:

<?php
if (isset ($_POST['editContent']))   {
require ("connections/dbconn.php");
$content = mysqli_real_escape_string($_POST['content']);
    $id = mysqli_real_escape_string($_POST['id']);
$sql = "UPDATE pages SET content='$content' WHERE id='$id'";
$result = $conn->query($sql) or die (mysqli_error());
if ($result){

header("location:admin.php?message=1");

}

}
?>

[Grayda]

Yep. The general rule of thumb is, don't trust anything the user gives you. Ever. Even if your client is good as gold, escape it. Better to add it in than not, and face your site being hacked, dropped, used for spam etc.

[Cardale]

This doesn't even take into account specialized browsers that can manipulate sessions and other post data.

[kevinritt]

This doesn't even take into account specialized browsers that can manipulate sessions and other post data.

Does that mean I have to do more than what I've added?

[Cardale]

It depends on the type of login system your using.  It is almost always better to over check user sessions, cookies, and any other data that you want secure.

 

If your allowing anyone to enter this data then it should be fine, but if you don't want annoying spam bots entering data or any random person you need other checks because you don't have to worry about just injection.  You have to worry about information you don't want pasted all over your site.

[kevinritt]

the changes will be done by a client. Can you refer me to a tutorial or book for more info on these types of security issues?

[purencool]

These references are great

 

* http://www.owasp.org/index.php/SQL_Injection (last upd May 2009)

* http://www.owasp.org/index.php/PHP_Top_5 (last updated Jan 2007)

http://shiflett.org/