...

View Full Version : MySQL security



FlashDance
11-06-2011, 02:37 AM
I have been working on a website for some time now. My work is now 95% finished and now I am starting to look at security, as I am using PHP.

My webpage uses HTML FORMS. When most of these forms get send back to the server, 50% of the time PHP is inserting the value of the FORM inputs into MySQL. To give a basic run down, I have a newsletter sign up system.

"Enter your e-mail address"... and then the user enters their e-mail and submits.. PHP runs a MySQL query to insert that FORM value into the database along the lines of this:

insert into newsletters (email) values ('.$POST['email'].')

I fear this is very vulnerable to injection attack as it means a trouble maker can come along and enter anything they want into my database, potentially wiping it out.

Is there anything I should look out for, like real obvious when it comes to MySQL security?
Should I be limiting the MySQL user account privileges that is used to insert things into the database, such as read-write only or something?

Old Pedant
11-06-2011, 03:26 AM
SQL = 'insert into newsletters (email) values (' . mysql_real_escape_string($POST['email']) . ')';

*ALWAYS*

FlashDance
11-06-2011, 03:38 AM
Wow, its as easy as that is it?!

Am I correct that mysql_real_escape_string strips everything but letters and numbers?

Would it be wise to use mysql_real_escape_string for all $_POST['']'s?

Old Pedant
11-06-2011, 05:29 AM
Am I correct that mysql_real_escape_string strips everything but letters and numbers?

No. Go read up on it. Google is your friend. Or just go to www.php.net and type that into the search box and read the official docs.



Would it be wise to use mysql_real_escape_string for all $_POST['']'s?

My opinion: Not for numbers and dates. For those, you should instead actually *check* that they are numbers and dates. (Well, maybe for MySQL dates it would be okay...but still...)

But using it even for them is better than not using anything.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum