I have finally gotten around to getting serious about security with my applications (before, it didn't matter as maybe 10 people even knew they existed). I have been reading about SQL Injection and all the bad juju that can happen if you don't protect against it.
I read up on it a bit in the PHP manual. http://us2.php.net/manual/en/function.mysql-real-escape-string.php . I followed their example and have created a function inside my DB class to prepare query parameters:
public function Prepare($params)
{
// check to see if it's an array
if (is_array($params)
{
foreach($params as $key=>$value)
{
if(get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
$params[$key] = mysql_real_escape_string($value);
}
}
else
{
if(get_magic_quotes_gpc())
{
$params = stripslashes($params);
}
$params = mysql_real_escape_string($params);
}
return $params;
}
If I pass all variables that come from GET or POST to this function prior to a query, is that sufficient enough to protect me? Anyone care to share their methods, or perhaps point me somewhere that might help?
