Jump to content

Archived

This topic is now archived and is closed to further replies.

BrandonKahre

mysql_real_escape_string

Recommended Posts

I am in a situation where I am designing some backend stuff where only a select few people will ever get to use it. This backend will control the products on our website... (using a mysql database) I know that no one with access to this backend will try to be malacious and add code to a string to hurt the site, however, I have never designed a "secure" application, so I'm not confident that a hacker would never be able to get in. Because of this, I'm tempted to use mysql_real_escape_string or a customized function to escape everything that is entered into the database (only the 3 fulltext datatypes really), but I don't really [i]want[/i] to do this because then I have to remember to unescape everything throughout my code. Is there a way to insert safe text, but not have to give it any special treatment later on?

I'm worried about <?php code, <script>, and quotes. What is the best practice for this? Bite the bullet and just use real_escape? Also, do another question is, can I assume a varchar(30) is too small for malacious code?

Thanks

Brandon

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.