Monkuar Posted February 26, 2012 Share Posted February 26, 2012 i use mysql escape and intval for my integers but i read this article http://www.itshacked.com/350/bypassing-php-security-mysql_escape_string-while-sql-injection-attacks-is-possible.html shows that people can bypass t he mysql_escape, but that article is only showing if they dont intval there ID= XXXX is it true or bogus? what are some more security measures can I take to help reduce the risk of sql injection? I use intval and mysql_escape_string, what else? Link to comment https://forums.phpfreaks.com/topic/257837-bypassing-mysql_escape/ Share on other sites More sharing options...
Pikachu2000 Posted February 26, 2012 Share Posted February 26, 2012 Are you using mysql_escape_string(), which has been deprecated since php 4.3.0, or mysql_real_escape_string()? There's a difference, and you should be using the _real_ function. Link to comment https://forums.phpfreaks.com/topic/257837-bypassing-mysql_escape/#findComment-1321509 Share on other sites More sharing options...
Monkuar Posted February 26, 2012 Author Share Posted February 26, 2012 Are you using mysql_escape_string(), which has been deprecated since php 4.3.0, or mysql_real_escape_string()? There's a difference, and you should be using the _real_ function. im using function escape($str) { return is_array($str) ? '' : mysqli_real_escape_string($this->link_id, $str); } then I do $db->escape($variable) for whatever variable before enters db good? Link to comment https://forums.phpfreaks.com/topic/257837-bypassing-mysql_escape/#findComment-1321510 Share on other sites More sharing options...
Pikachu2000 Posted February 26, 2012 Share Posted February 26, 2012 For that part, yes. For numeric values, they need to be at the least cast as the appropriate data type. Validating them doesn't hurt either, so you can tell your user about any errors and let them correct mistakes. Link to comment https://forums.phpfreaks.com/topic/257837-bypassing-mysql_escape/#findComment-1321514 Share on other sites More sharing options...
Monkuar Posted February 26, 2012 Author Share Posted February 26, 2012 For that part, yes. For numeric values, they need to be at the least cast as the appropriate data type. Validating them doesn't hurt either, so you can tell your user about any errors and let them correct mistakes. Love it thank you Link to comment https://forums.phpfreaks.com/topic/257837-bypassing-mysql_escape/#findComment-1321519 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.