I got a script that takes variables submitted from a form, passes them from an htmlspecialchars and addslashes functions, and then stores them to the database.
Is this enough? Or is such thing vulnerable to SQL injections and other attacks?
| SitePoint Sponsor |
I got a script that takes variables submitted from a form, passes them from an htmlspecialchars and addslashes functions, and then stores them to the database.
Is this enough? Or is such thing vulnerable to SQL injections and other attacks?
mysql-real-escape-string is a really good function to use. I use this mainly
"Am I the only one doing ASP.NET in Delphi(Pascal)?"
Don't run your variables through htmlspecialchars before storing them in the database - it's unnecessary and it inflates your storage requirements. Use htmlspecialchars when you display the data (to prevent XSS attacks).
If you are using MySQL as your database, use mysql_real_escape_string instead of addslashes; otherwise use addslashes. Or, better yet, use PDO to access your database (whether you use MySQL or not).
In addition, if you are expecting a number, make sure it's a number; if you are expecting an e-mail address, make sure it's an e-mail address. Simply escaping data is not the same as validating it - you must ensure that the data is what you expect, otherwise you will get unexpected (and potentially dangerous) results when you attempt to use the data.
The addslashes is in this function which the variables are passed through when entered in the database:If you are using MySQL as your database, use mysql_real_escape_string instead of addslashes;
Should I replace the whole MySqlIn or just the addslashes with mysql_real_escape_string?PHP Code:function MySqlIn($value) {
$value = str_replace("\"", "'", $value);
if (get_magic_quotes_gpc() ) {
return $value;
} else {
return addslashes($value);
}
}
Posting Permissions
Bookmarks