[SOLVED] Have I understood it right?

[Teachy]

Hello!

 

I don't know if I have confused myself, or whether what I have done is okay.

I have a website on a shared server which I really wanted to secure, so I have gone through *every* SQL statement in my website, selects, inserts, and wrapped any variable or input with:

 

mysql_real_escape_string(stripslashes(strip_tags($foo)))

 

This all works okay, and I get the results I want, but I was wondering if this was correct? From what I've read, mysql_real_escape_string adds slashses, so effectively I'm adding slashes, and then removing them?

 

I have seen other pastes with both on thtem, but wondered if it's a waste of processing power what I've done?

 

Any insight is appreciated

As a snippet, this is the type of thing I have:

 

$find=mysql_fetch_array(mysql_query("Select * from user where account='".mysql_real_escape_string($_SESSION['account'])."'"));

             $sql = "Insert into user (account,password,sc,realname,location,email,native,other,joined) "
                  . " values ('".mysql_real_escape_string(stripslashes(strip_tags($_POST['account'])))."','".md5($password)."',
                              ".mysql_real_escape_string($sc).",
                              '".mysql_real_escape_string(stripslashes(strip_tags($_POST['realname'])))."','".mysql_real_escape_string(stripslashes(strip_tags($_POST['location'])))."','".mysql_real_escape_string(stripslashes(strip_tags($_POST['email'])))."',
                              '".mysql_real_escape_string(stripslashes(strip_tags($_POST['native'])))."','".mysql_real_escape_string(stripslashes(strip_tags($_POST['other'])))."','".mysql_real_escape_string($joined)."')";
             $result = mysql_query($sql);

[cooldude832]

I should write this down somewhere cause its a common question about injection.

 

The mysql_real_escape_string is a function that attempts to escape all characters dangerous to your version of mysql (like quotes) so that it can be used in a query without damaging the SQL.

 

This doesn't make you safe, it just makes sure you don't break your code.

To prevent injection the key is phrasing user input, don't let them enter any thing without checking it first.  I.E if the field type is integer and they type in a text value then error it and alert them, or if its a certain length verify its that length.

 

As for on every query doing injection protection that isn't correct either, well it ain't nesseccary

 

Some times you have 3+ queries on a page, and only the first one has user input in it, the rest are all generated from the above query, no need to escape these, as you can be assured if it came out of sql to go back into it its sfae.

 

Some other notes

 

on an update query its always a good idea to verify what you are trying to update (if its a specfic small pool of the whole table) is there, by doing a select count(*) from `table` where Update critera matches.  Then say if(mysql_num_rows($q) >0 ) update it

 

With Select queries you should always verify you didn't return 0 results before running a loop (you didn't)

 

using your snippette.

<?php
$q = "Select * from `user` where `account` = '".$_SESSION['account']."'";
$r = mysql_query($q) or die(mysql_error()."<Br />".$q);
if(mysql_num_rows($r) >0){
$find = mysql_fetch_array($r);
//Rest of statements in the if
}
else{
//Alert error no user found
}
?>

No need to escape here as the session data was created by you and can't be altered except by you, if its an opener session you will need to escape