Jump to content


Photo

mysql_real_escape_string


  • Please log in to reply
No replies to this topic

#1 BrandonKahre

BrandonKahre
  • Members
  • Pip
  • Newbie
  • 6 posts

Posted 22 March 2006 - 07:05 PM

I am in a situation where I am designing some backend stuff where only a select few people will ever get to use it. This backend will control the products on our website... (using a mysql database) I know that no one with access to this backend will try to be malacious and add code to a string to hurt the site, however, I have never designed a "secure" application, so I'm not confident that a hacker would never be able to get in. Because of this, I'm tempted to use mysql_real_escape_string or a customized function to escape everything that is entered into the database (only the 3 fulltext datatypes really), but I don't really want to do this because then I have to remember to unescape everything throughout my code. Is there a way to insert safe text, but not have to give it any special treatment later on?

I'm worried about <?php code, <script>, and quotes. What is the best practice for this? Bite the bullet and just use real_escape? Also, do another question is, can I assume a varchar(30) is too small for malacious code?

Thanks

Brandon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users