I'm currently developing some projects, and I was wondering if escaping user input with mysql_real_escape_string() was enough to prevent an SQL injection.
I'm currently developing some projects, and I was wondering if escaping user input with mysql_real_escape_string() was enough to prevent an SQL injection.
Blackberry Bold 9000 w/ OS 5.0.0.411 [Unlocked]
Nokia E72 [Unlocked]
Why not test it yourself and see?
The fox was probably right - they could have been sour grapes.
#1 rule - never trust user input.
I never used mysql_real_escape_string() before. I have always used some form of a prepared statements and do my own filtering. I try not to rely on some specific mysql functionality (hard to do at times) in case I ever have to switch DBs. But I guess mysql_real_escape_string() should serve the purpose, just listen to CyberCat
Sanitize the input check for [ " ] and filter them out server side plus client side before it gets to the database
I would suggest validating the user's input before it even gets to the sql stage. Trust me its worth the time and effort now than later when u have a security firm throw everything including the kitchen at it. But specifically speaking mysql_real_escape_string() will most definitely aid your efforts in making ur code less vulnerable to SQL injection attacks......but remember trust no one....validate before, plus don't forget the use of proper design, like ensuring your db fields are the right size, for form text fields utilize the maxlength attribute.
.................................................. ....................
Last edited by jackal; Apr 21, 2013 at 10:22 AM.