xjermx Posted April 6, 2011 Share Posted April 6, 2011 I'm attempting to thoroughly sanitize my PHP app to avoid common exploits, and am working on guarding from SQL injections and such. I'm using mysql_real_escape_string for data that comes from the user. I have a number of instances of the following: $ip = $_SERVER['REMOTE_ADDR']; $page = $_SERVER['PHP_SELF']; And then using those values to query or update SQL. Is it a best practice to also sanitize this sort of data? Link to comment https://forums.phpfreaks.com/topic/232880-sanitizing-data-for-sql-queries-and-updates/ Share on other sites More sharing options...
spiderwell Posted April 6, 2011 Share Posted April 6, 2011 in my experience its better to do it and not need it than the other way around Link to comment https://forums.phpfreaks.com/topic/232880-sanitizing-data-for-sql-queries-and-updates/#findComment-1197766 Share on other sites More sharing options...
Adam Posted April 6, 2011 Share Posted April 6, 2011 The IP address is safe in terms of SQL injections, however PHP_SELF is not. You can pass an injection through it very easily. As a simple example, consider they inject the URL with /index.php/' OR 1=1 .. that would be preserved within the PHP_SELF variable. Link to comment https://forums.phpfreaks.com/topic/232880-sanitizing-data-for-sql-queries-and-updates/#findComment-1197767 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.