login script security

BeanieMan

Hi all,

I have been trying to build a signup/login script and have become stuck on a couple of points.
Firstly, i have been using addslashes on POST variables and (ereg("'", )) to prevent sql injection, but recently i have read(including on this great site) that you should always use mysql_real_escape_string() before storing in database.
Dont these 2 methods do basically the thing. (escape the string)?

Secondly, i have seen many example login scipts using a variety of methods, cookies, sessions or a session table in the database, which of these would result in the most secure method.

thanks

beanieMan

coldwerturkey

BeanieMan;10908394 wrote:
Firstly, i have been using addslashes on POST variables and (ereg("'", )) to prevent sql injection, but recently i have read(including on this great site) that you should always use mysql_real_escape_string() before storing in database.
Dont these 2 methods do basically the thing. (escape the string)?

from what I've read, no, here's a nice article about addslashes() vs mysql_real_escape_string() that demonstrates how to bypass addslashes().

BeanieMan;10908394 wrote:
Secondly, i have seen many example login scipts using a variety of methods, cookies, sessions or a session table in the database, which of these would result in the most secure method.

Cookies and Sessions are both secure.. but afaik by using sessions you keep the data away from the user as sessions are stored on server, while cookies on the users machine. Regardless what you choose you should always verify the data.

BeanieMan

thanks for the reply coldwerturkey,
so if i use mysql_real_escape_string is there anything else i need to do to "sanitize" the data?