Hi,
what method are you normally calling before inserting the user data to the database (MySQL) and then after retrieving the data.
Is mysql_real_escape_string() enough now or do you have better approach?
Cheers!
This is a tough to answer as this depends on your needs. For example does this query contain user input?. Is this wrapped in a method or function?. As well other things apply such as control characters, html.
You may want to read the following thread, it has a good conversation on when to use mysql_real_escape_string versus htmlentities or htmlspecialchars
-
Validate all user input to make sure that each field contains something that looks valid for that field. Apart from security issues with invalid data you also don’t want to be trying to process junk. After all no one has the name “delete from xyz_table where name<>‘’” and no one has the name ‘@@##@@##@@##@@##@@##’ either so you don’t want to process either of those (using mysql_real_escape_string would prevent the first of these being run as SQL but would not prevent it being inserted into the database).
-
Provided you use separate prepare and bind statements for your database calls tyou don’t need anything special to be able to save your validated user input to the database
mysql_real_escape_string() used to be necessary when the SQL and data had to be all jumbled together in the one call in order to escape parts of the data that could be confused with the SQL. -
sanitize all data read from the database so as to strip out anything that might be harmful if the database has been tampered with (if it hasn’t been tampered with then there shouldn’t be anything harmful in there)
-
use htmlentities or htmlspecialchars if you are writing output into a web page in order to make sure that it doesn’t get confused with the HTML and that characters not properly recognised by the charset defined for the page still display correctly by using the appropriate entity codes.
Of these the most important step is the first one - VALIDATION