PHP Security

[ociugi]

i am aware of sql injection but I'm lock of knowledge on how to prevent this by increasing the security of the php code. i don't know where and when exactly to use the regular expression, trim, strpos, strsub, urlencode, urldecode functions, etc. because i am a beginner programmer. do i need to use the stripslashes to all input? For example i have a login form with user id and password, i want to know what and how to filter the input before i insert or select into sql? and for the registration form input filtering, is it the same as the login form filtering? please explain to me  on how to prevent the sql injection. thank you in advance.

[pocobueno1388]

The most important function when it comes to sql injections is mysql_real_escape_string()

http://www.php.net/mysql_real_escape_string

 

You need to use that function on ALL variables you are using in any query.

[pocobueno1388]

Here are some good articles on it you can read up on to understand more

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

http://www.netlobo.com/preventing_mysql_injection.html

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

[kenrbnsn]

You can also read the articles at PHP Security Consortium

 

Ken