Script and String Security

Sangre

I read alot about SQL injections and stuff.
But actually, so many script have so many different ways, i am a little scared that 1 string function, nulifies the work of a previous.

like a function adds slashed to make the sting safe, and strip_slashes just removes them again, making the string dangerous again.

Is this piece of code:

$user = strip_tags(mysql_real_escape_string($_POST['login']));

enough the help against evil-people?

and if its a pagenumber

$page = (int) $_POST['page'];

will do right?

maybe an idea to make a general Security sticky here on the newbie board with loads of info on it?

Ow, and happy 2007 to all of you

laserlight

My advice is to use prepared statements, e.g., by using the PDO or mysqli extension in PHP5. For the most part, this simply eliminates the possibility of an SQL injection (but not malicious code that comes with the user input, you still have to handle those separately).

If you do not have access to a prepared statement interface, then for MySQL, mysql_real_escape_string() should be the function to use. As you pointed out, typecasting variables is also another way to go about it, especially for integral values.

Sangre

Ok thank you 🙂

And no i dont have access to a prepared statement interface, i think.
i am using a hosting service, they have PHP 5 and MySQL 4