xjermx Posted April 6, 2011 Share Posted April 6, 2011 I'm attempting to thoroughly sanitize my PHP app to avoid common exploits, and am working on guarding from SQL injections and such. I'm using mysql_real_escape_string for data that comes from the user. I have a number of instances of the following: $ip = $_SERVER['REMOTE_ADDR']; $page = $_SERVER['PHP_SELF']; And then using those values to query or update SQL. Is it a best practice to also sanitize this sort of data? Quote Link to comment Share on other sites More sharing options...
spiderwell Posted April 6, 2011 Share Posted April 6, 2011 in my experience its better to do it and not need it than the other way around Quote Link to comment Share on other sites More sharing options...
Adam Posted April 6, 2011 Share Posted April 6, 2011 The IP address is safe in terms of SQL injections, however PHP_SELF is not. You can pass an injection through it very easily. As a simple example, consider they inject the URL with /index.php/' OR 1=1 .. that would be preserved within the PHP_SELF variable. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.