Jump to content


This topic is now archived and is closed to further replies.


Securing My PHP Application For Buisness Use

Recommended Posts

Hello all, I am devolving an application that companies will HOPEFULLY :) buy and use. I am a little concerned about security though, because they will be entering sensitive information. I am decently experienced with PHP and MySQL but what are some general security tips and holes?

I am not doing any IO, purely storage and retrieval from MySQL. I will be using mail() though, and I know there some issues related to that. How about MySQL injection attacks, what’s the easiest fix for that? I purely use variables in their right scope, i.e. I don’t take advantage of REGISTER GLOBALS which I know is one good security measure. Thanks for additional advice.

Share this post

Link to post
Share on other sites
Ten Security Checks for PHP, Part 1
by Clancy Malcolm



Example 3. A "Best Practice" query

Using mysql_real_escape_string() around each variable prevents SQL Injection. This example demonstrates the "best practice" method for querying a database, independent of the Magic Quotes setting.

// Quote variable to make safe
function quote_smart($value)
  // Stripslashes
  if (get_magic_quotes_gpc()) {
      $value = stripslashes($value);
  // Quote if not a number or a numeric string
  if (!is_numeric($value)) {
      $value = "'" . mysql_real_escape_string($value) . "'";
  return $value;

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
  OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",

The query will now execute correctly, and SQL Injection attacks will not work.

Share this post

Link to post
Share on other sites
[b]Thanks for tips Mark[/b]. Unfortunately I have already written a lot of this code, and changing all my queries to implement the function call quote_smart() on every variable is nothing-less than a disaster and headache. Looks like smart_quotes_gtc going to have to be good enough, unless I feel ambitious and want to change all my queries. Any other idea to simply my life?

Currently my queries look like:

$sql = "SELECT first_name, last_name, company_name FROM customers WHERE customer_id = " . $_POST['customer_id'] . " AND status = '" . $isActive . "'";

Any easy fix for queries in that format?

Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.