What other things can I do to prevent MySQL injections into my PHP scripts? At the moment I check all content, etc. using stripslashes and strip_tags and also, when I expect numeric values, I use settype.
Any other ideas?never use stripslahes on stuff that goes into mysql. you need to use addslashes or if you have magic_quotes on it will do it for you.
always check you inputs. not just numbers, but also text.<!-- m --><a class="postlink" href="http://www.sitepoint.com/article/sql-injection-attacks-safe">http://www.sitepoint.com/article/sql-in ... tacks-safe</a><!-- m -->
That article is a good read, although it does use asp.mysql_escape_string() is your friend, always use 's to encompas user input values, even if they are numerical.
use str_replace() to change special chars to their >
value.
in vital variables that will not include user input, disallow the use of keywords like:
SELECT
DELETE
UPDATE
DROP
CREATE
<script>
'
=
and so on... this will also help secure you from cross-site scripting attacks.
-flOriginally posted by forlamp
mysql_escape_string() is your friend, always use 's to encompas user input values, even if they are numerical.
use str_replace() to change special chars to their >
value.
good advice, but you also have htmlentities() for changing those. so no need to use str_replaceI was reading Harry Fueck's php anthology today, and he suggested to use mysql_escape_string() instead of addslashes.
Any other ideas?never use stripslahes on stuff that goes into mysql. you need to use addslashes or if you have magic_quotes on it will do it for you.
always check you inputs. not just numbers, but also text.<!-- m --><a class="postlink" href="http://www.sitepoint.com/article/sql-injection-attacks-safe">http://www.sitepoint.com/article/sql-in ... tacks-safe</a><!-- m -->
That article is a good read, although it does use asp.mysql_escape_string() is your friend, always use 's to encompas user input values, even if they are numerical.
use str_replace() to change special chars to their >
value.
in vital variables that will not include user input, disallow the use of keywords like:
SELECT
DELETE
UPDATE
DROP
CREATE
<script>
'
=
and so on... this will also help secure you from cross-site scripting attacks.
-flOriginally posted by forlamp
mysql_escape_string() is your friend, always use 's to encompas user input values, even if they are numerical.
use str_replace() to change special chars to their >
value.
good advice, but you also have htmlentities() for changing those. so no need to use str_replaceI was reading Harry Fueck's php anthology today, and he suggested to use mysql_escape_string() instead of addslashes.