Jump to content

Security Tips?

GerryCarr

By GerryCarr
in PHP Coding Help

 Share

Recommended Posts

KevinM1 Advanced Member

KevinM1

Posted
Posted

That's because addslashes has never been a proper method of escaping database input.

 

The best way to escape input is to use prepared statements with either MySQLi (notice the 'i' at the end... the old mysql_* functions are deprecated and should not be used), or PDO.  The online PHP manual has examples of both.

Link to comment
Share on other sites
.josh Advanced Member

.josh

Posted
Posted

use prepared statements.

 

Example insert:

 

$db = new PDO('mysql:host=localhost;dbname=mydb;charset=utf8', 'username','password');
$query = $db->prepare("INSERT INTO table (column) VALUES (:column)");
$query->bindValue(':column', 'some value'), PDO::PARAM_STR);
$query->execute();
Example select:

 

$db = new PDO('mysql:host=localhost;dbname=mydb;charset=utf8', 'username','password');
$query = $db->prepare('SELECT * FROM table where column=:column');
$query->bindValue(':column', 'some value', PDO::PARAM_STR);
$query->execute();
$row = $query->fetch(PDO::FETCH_ASSOC);
echo $row['column'];
This will prevent sql injection. However, you should still have logic in place to validate the user input, for the sake of your script functioning properly. For example, if you expect a user to provide a url or email address or zip code or whatever.. you should validate that it's a proper format so that you can properly do something with it. For example, using the above will prevent sql injection, but letting a user enter in arbitrary value in those fields will not prevent other attacks, such as cross-site scripting attacks. I could enter in your form some javascript and it'll sit in your db and not directly harm your db but if you turn around and output it on some page without validation or escaping, I could make your site output arbitrary js and find other ways to hack your site. So for instance, if you ask for a (US) zipcode, validate that they entered in 5 digits and nothing else, etc..
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.