Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4

Thread: MySQL security

  1. #1
    Regular Coder
    Join Date
    Sep 2011
    Posts
    274
    Thanks
    38
    Thanked 0 Times in 0 Posts

    MySQL security

    I have been working on a website for some time now. My work is now 95% finished and now I am starting to look at security, as I am using PHP.

    My webpage uses HTML FORMS. When most of these forms get send back to the server, 50% of the time PHP is inserting the value of the FORM inputs into MySQL. To give a basic run down, I have a newsletter sign up system.

    "Enter your e-mail address"... and then the user enters their e-mail and submits.. PHP runs a MySQL query to insert that FORM value into the database along the lines of this:
    insert into newsletters (email) values ('.$POST['email'].')
    I fear this is very vulnerable to injection attack as it means a trouble maker can come along and enter anything they want into my database, potentially wiping it out.

    Is there anything I should look out for, like real obvious when it comes to MySQL security?
    Should I be limiting the MySQL user account privileges that is used to insert things into the database, such as read-write only or something?
    Last edited by FlashDance; 11-06-2011 at 02:01 AM.

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    Code:
    SQL = 'insert into newsletters (email) values (' . mysql_real_escape_string($POST['email']) . ')';
    *ALWAYS*
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • Users who have thanked Old Pedant for this post:

    FlashDance (11-06-2011)

  • #3
    Regular Coder
    Join Date
    Sep 2011
    Posts
    274
    Thanks
    38
    Thanked 0 Times in 0 Posts
    Wow, its as easy as that is it?!

    Am I correct that mysql_real_escape_string strips everything but letters and numbers?

    Would it be wise to use mysql_real_escape_string for all $_POST['']'s?
    Last edited by FlashDance; 11-06-2011 at 03:00 AM.

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    Quote Originally Posted by FlashDance View Post
    Am I correct that mysql_real_escape_string strips everything but letters and numbers?
    No. Go read up on it. Google is your friend. Or just go to www.php.net and type that into the search box and read the official docs.

    Would it be wise to use mysql_real_escape_string for all $_POST['']'s?
    My opinion: Not for numbers and dates. For those, you should instead actually *check* that they are numbers and dates. (Well, maybe for MySQL dates it would be okay...but still...)

    But using it even for them is better than not using anything.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •