A community in which webmasters can ask for help with topics such as PHP coding , MySQL , IT jobs, web design, IT security.
Current location:homephp forumphp talk in 2009 yearWhen are the most recommended times to use mysql_real_escape_string() - page 1
User InfoPosts
When are the most recommended times to use mysql_real_escape_string()#1
Im actually new to using this function.. and was using preg_replace and addslashes previous to finding it.

I(m mostly curious, because Im about to go through, and tighten security in the posting areas in my first large app, and wanted to know the best instances where this function is effective, and highly recommended. I(ve seen this function applied in a few different situations, and not just before user input is posted.. but when queries are done in general, so Im really curious about its full possibilities, and how to implement it to its full effectiveness.

Also, any infallible security methods, and suggestions in general will be really appreciated.

Cheers all!

posted date: 2009-04-06 18:10:00


Re: When are the most recommended times to use mysql_real_escape_string()#2
I had made out the solution of this problem. click to view my topic...

hope that hepls.

posted date: 2009-04-06 18:10:01


Re: When are the most recommended times to use mysql_real_escape_string()#3
Pretty much any time there could be characters in the data that could mess up a query, most notably quote and single quote. There are some extended characters that are dependent on your current MySQL character encoding that could do it too, which is why you want to use the one in mysql instead of addslashes().

posted date: 2009-04-06 18:12:00


Re: When are the most recommended times to use mysql_real_escape_string()#4
Ideally you should never be using it, because Parameterized queries (either through PDO or mysqli) are the correct way to prevent SQL injection.

posted date: 2009-04-06 18:18:00


Re: When are the most recommended times to use mysql_real_escape_string()#5
The most recommended times to use mysql_real_escape_string(): Whenever you are putting data into the database. If you treat the input from anywhere (in from a webpage, in from the database, in from a webservice) as a hostile attack that you have to defend and filter against problems, then you won(t go far wrongDo it the hard way the first few times, then use a framework (I use ZendFramework), or at least a part of it like Zend_DB, to make it easier on yourself.For an infallible security method - a server that cannot be broken into: disconnect the machine from the networkdisconnect the machine from power put the machine into a safedrop it into the Marianas trenchpost a guard.Note: it(s usefulness is not guaranteed at this point. it(s very secure though. Not 100%, but as good as it(s gonna get.And keep learning about security and best practices.

posted date: 2009-04-06 18:19:00


Re: When are the most recommended times to use mysql_real_escape_string()#6
Please see this response to a similar questions a little while ago.Basically, there is much more to security than just avoiding SQL Injection attacks. Also, anytime you run a query against the database that contains any sort of dynamic data there is a danger of sql injection. Lastly, it is better to use Prepared Statements with the PDO library than to use mysql_real_escape_string().1) http://www.momige.com/585358/security-of-striptags-and-mysqlirealescapestring/585568#585568

posted date: 2009-04-06 18:21:00


Re: When are the most recommended times to use mysql_real_escape_string()#7
The best thing is to parse the content as data, not as code (never execute the code). For example, JSON (Javascript) is a very easy way to assemble data from a server at a client, but you should never execute it. You should parse the data with a Regular Expression to confirm it is correct and only contains data.That said, SQL injection usually happens when you accept form data in html. The key would be to check for SQL reserved words that cause a problem, namely (; (single quote, semi-colon.) You could easily create a list of reserved words and run them through a RegEx expression (jQuery probably has something nice or C# on the server.) I am sure PHP could do this easily too. CRUD (create retrieve update and delete) verbs are nice to look for, but don(t forget about the server side SQL stored procedures that already exist to do things or worse execute sql statements (dynamic sql). You could url encode the "escape" characters if you don(t need to use them outside of a web page too.

posted date: 2009-04-06 18:26:00


Re: When are the most recommended times to use mysql_real_escape_string()#8
Hi Chad.. Thats some really important information there in that article.... Thank you so much(my stomach has turned at how vunerable my code is). Im so happy I asked this before I made my site live. Thanks again for your help.

posted date: 2009-04-06 18:38:00


Re: When are the most recommended times to use mysql_real_escape_string()#9
Hi Topbit.. Thanks for your tips:).

posted date: 2009-04-06 18:46:00


Re: When are the most recommended times to use mysql_real_escape_string()#10
Hi gabriel1836.. Thanks for this answer:).

posted date: 2009-04-06 18:50:00


Re: When are the most recommended times to use mysql_real_escape_string()#11
mysql_real_escape_string(magic_quotes_gpc() ? strip_slashes($variable) : $variable)If you insist on not using mysqli or PDO, then always.

posted date: 2009-04-06 19:17:00


Re: When are the most recommended times to use mysql_real_escape_string()#12
your 'mysqli_real_escape_data' link links to 'mysqli_real_escape_string'

posted date: 2009-04-06 19:22:00


select page: « 1 2 »
Copyright ©2008-2017 www.momige.com, all rights reserved.