Sanitizing Input - Is my short code secure? A few questions

MikeCxt

Hello. I have a general understand of PHP, but not of its security. I recently began reading about SQL Injection and such. My code excerpt follows:

After the user submits the form, this script is called up.

if($formMethod == "post") { $semname = $_POST['semname']; }
else                                    { $semname = $_GET['semname']; }

$semname = addslashes(rtrim(ltrim(strip_tags($semname))));

if (mysql_query("INSERT INTO $mySQLtable (semname) VALUES ('$semname')")) {
echo "Success"; }

I cut out all other information that had nothing to do with sanitizing for security (stuff such as checking for empty input and creating error messages). Also, each variable my form has goes through the same process as $semname does.

My problem is I don't know if this is enough. I have heard of using addslashes, mysql_escape_string, and 1 or 2 others I don't recall. I don't know if I should use them all, or just use some, or what. I've been reading up on this, but so far it hasn't quite clicked for me which to use. If you can help me, that would be very appriciated. Is what I have enough or do I need to add another one?

Also, is rtime(ltrim()) just repetition? I have seen some use trim, is that a combination of the two, or slightly different? I'll be reading the manual in the meantime, but Thank You to all who can clarify this.

Roger_Ramjet

You will find it all explained for you in the manual mysql_real_escape_string

as well as the code for a 'best practice' function that you should always use on all input be it get, post, cookie, etc.

Don't think that because you set the cookie, or wrote the url, that it will be safe when you read it. Modifying the get vars in a url string is one of the easiest ways to hack a site.

laserlight

Basically, using addslashes() helps to stop SQL injection attacks with MySQL, but for other database management systems you would double single quotes instead. You need to check that magic_quotes_gpc is 0 before using addslashes(), this can be done with get_magic_quotes_gpc().

Also, is rtime(ltrim()) just repetition? I have seen some use trim, is that a combination of the two, or slightly different?

If you intend to use both rtrim() and ltrim(), then you should replace them with trim().

MikeCxt

When running get_magic_quotes_gpc() it returned "1", so I believe that means its on. Laserlight, you said make sure it is "0" before using addslashes(). Since its 1, should I then not worry about addslashes(), or must I use some other function to sanitize?

I have no control over magic_quotes as I use my ISP's MySQL database, using MyPHP to interface.