Sql Injection

Labmonkey

Ok, so what is the secure way to input data into a mysql database? I have been googling for a while now, and have come with many different results, and many pages saying "do not use what this page says!". Many sources simply say to use mysql_real_escape_string on all values going into the database, but others claim that is horrible. Then some say to use that in conjuction with addlslashes or something and others still say that those are all insecure.

I am trying to store things like forum posts, and so I can't use the simple method of removing all non abc or 123 characters.

So if someone can provide me a simple function that i can use to clean strings, and then another (if necessary) to retrieve them, that would be amazing!

Very confused 😕,
Labmonkey

Labmonkey

Oh, if it means anything, the server I am using has php 5 installed.

NogDog

As far as SQL injection goes, the only thing you need to do is use the appropriate escaping mechanism for the database interface being used. If you are using the PHP MySQL extensiong (as opposed to MySQLi), that mechanism is the mysql_real_escape_string() function. Anything else you might choose to do should have nothing to do with SQL injection, as that function will take care of it by escaping any potentially problematic characters in your SQL values. Other DB extensions will have different escaping functions, or in the case of PDO or MySQLi you could instead use prepared statements with place-holders.

On a related note, you will want to ensure either that the magic_quotes_gpc configuration option for PHP is disabled, or else if it is enabled to undo its "damage" via stripslashes() before applying your SQL escaping mechanism. If not, you risk double-escaping and ending up with extraneous escape characters in the SQL.

Labmonkey

Ok thanks. That really clears things up. I am new to this, but how might I check for agic_quotes_gpc, and if I am using mysqli. It is my friends server, and I am pretty sure everything is default, but I have no idea how to check.

NogDog

[man]get_magic_quotes_gpc/man will return true if "magic quotes" is enabled.