PHP security

[Logician]

I have been working on a website for some time now. My work is now 95% finished and now I am starting to look at security, as I am using PHP.

 

My webpage uses HTML FORMS. When most of these forms get send back to the server, 50% of the time PHP is inserting the value of the FORM inputs into MySQL. To give a basic run down, I have a newsletter sign up system.

 

"Enter your e-mail address"... and then the user enters their e-mail and submits.. PHP runs a MySQL query to insert that FORM value into the database along the lines of this:

insert into newsletters (email) values ('.$POST['email'].')

 

I fear this is very vulnerable to injection attack as it means a trouble maker can come along and enter anything they want into my database, potentially wiping it out.

I believe I need to "sanitize" my input with a MySQL "real_escape_string" or something?

 

Is there anything real obvious I should look out for when it comes to PHP security?

Is there a way to forbid all strings/arguments except the few I need or something perhaps?

[trq]

Security is generally not something you should think about when your application is 95% complete, it should be thought about during the entire process.

 

As for your question, see mysql_real_escape_string.

[Logician]

Thanks for the information!

 

I don't know what to make of the example given in that manual.

 

$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",

            mysql_real_escape_string($user),

            mysql_real_escape_string($password));

?>

 

What is %s?

$user and $password are not defined?

 

Do you know where I can find an example of where mysql_real_escape_string is used in my case?... so I can compare it with a process that is familiar to me.

[trq]

The %s has nothing to do with mysql_real_escape_string, see sprintf

 

Anyway, given your example in your first post.

 

$email = mysql_real_escape_string($_POST['email']);
$sql = "INSERT INTO newsletters (email) VALUES ('$email')";

[Logician]

Thorpe, thank you very much showing me that example! Its made things allot clearer!

What I am going to do is use:

query = 'insert into newsletters (email) values ('.mysql_real_escape_string($_POST['email']).')';

 

 

Would it be wise to use mysql_real_escape_string for all $_POST['']'s?

 

The PHP manual said mysql_real_escape_string escapes special characters. So I am assuming that is everything but letters and numbers? Oh ow, will this also strip the @ symbol?

 

 

Is there anything else you recommend I should look into with PHP security?

[xyph]

Read the article in my signature. It's a great read and covers most of what you need to know.