[SOLVED] good Sql Injection Prevention ?

[phpSensei]

Is this a valid use of mysql_real_escape_string ??

 

This is my first Sql inject Firewall..

 

<?php

$dbhost="localhost";
$dbuser="root";
$dbpass="";
$dbname="dbase";

$connect=mysql_connect($dbhost,$dbuser,$dbpass) or die("Error: " . mysql_error());
$db=mysql_select_db($dbname);


$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);>


$query_bad = "SELECT * FROM member WHERE username = '$username' and password ='$password'";
echo "Escaped Bad Injection: <br />" . $query_bad . "<br />";

?>

[dbo]

It's ok. Always filter input first... then escape it. Basically this means that you verify that the data matches your rules before you do anything with it. For example if a username can't be more than x characters long... verify that it isn't more than that before processing. Once it's passed your filters then escape it using mysql_real_escape_string or whatever function makes the most sense for the database being used.

[btherl]

Yes, it's valid use of mysql_real_escape_string().  Like dbo says, it doesn't hurt and often helps to validate the input first.

[phpSensei]

Thanks guys, both of you..