Greetings all:

Using PHP 4.3.xx and MySQL 4.1 (and sometimes).

I've got a ton of forms that use the $_POST variable to send information into 
the database, and I'm worried about injection attacks.

My server has magic_quotes enabled, which I thought would handle most things, 
but am wondering now if I need to use mysql_escape_string on everything, which 
would mean, of  course, a lot of find-and-replace and rewriting.

Also, REGISTER_GLOBALS is turned off, and errors are not shown to the user when 
the site is live.

Any suggestions on how to tighten up the form security, or does magic_quotes 
help enough?

For what it's worth, I've tried to enter things like "pw=''" and other 
simulated attackes using the $_GET method, but haven't been able to crack the 
site. But I'm a noob at that kind of thing, so I try not to get too carried 
away with myself.


PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to