Sql Injection Protection

[wright67uk]

Would you say that this code is safe from SQL injection?

If not, then why?

 

<?php
if ($_SERVER['REQUEST_METHOD']=='POST'){
$con = mysql_connect( "###","###","###" );
if (!$con) { die('Could not connect: ' . mysql_error()); }
mysql_select_db("###", $con);
$n = mysql_real_escape_string($_POST['name']);
$e = mysql_real_escape_string($_POST['email']);
$sql="INSERT INTO waiting (name, email) VALUES('$n','$e')";
if (!mysql_query($sql,$con)){ die('Error: ' . mysql_error()); }
echo "Thankyou! We will be in touch soon.";
mysql_close($con);
}
?>


<?php if ($_SERVER['REQUEST_METHOD']<>'POST'){ ?>
<p> This website is under construction!<br />
Enter your details and we will get back to you as soon as we are all done.<br />
<br />
<form action="<?php $_SERVER['PHP_SELF'] ?>" method="post">
Name: <input type="text" name="name" /><br /><br />
Email: <input type="email" name="email" />
<br /><br />
<input type="submit" value="Submit" />
</form></p>

<?php } ?>

[silkfire]

I would recommend you to use PDO with prepared statements, then you're 100% safe from injections of any sort.

[Christian F.]

Yes, your code is safe against SQL injections. There are only two variables used in the query, and you've correctly escaped them with mysql_real_escape_string ().

What your code isn't protected against, however, is HTML injections (XSS etc). To protect yourself against that, please see this article. You'll also want to have a look at rawurlescape () and htmlspecialchars ().