Greetings all: Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).
I've got a ton of forms that use the $_POST variable to send information into the database, and I'm worried about injection attacks. My server has magic_quotes enabled, which I thought would handle most things, but am wondering now if I need to use mysql_escape_string on everything, which would mean, of course, a lot of find-and-replace and rewriting. Also, REGISTER_GLOBALS is turned off, and errors are not shown to the user when the site is live. Any suggestions on how to tighten up the form security, or does magic_quotes help enough? For what it's worth, I've tried to enter things like "pw=''" and other simulated attackes using the $_GET method, but haven't been able to crack the site. But I'm a noob at that kind of thing, so I try not to get too carried away with myself. Thanks, V -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php