The mysql_* functions are being deprecated. So the recommendation is to use PDO. PDO's prepared statements will help sanitize your input, because even on an update/insert, a malicious user can still wreck havoc.
Here is a slightly older article on it: https://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059 On Tue, May 27, 2014 at 5:12 AM, Dan Egli <[email protected]> wrote: > I'm sure this one will open a kettle of worms, but here goes anyway. I've > seen all sorts of chatter about the best way to prevent SQL injection > attacks in PHP pages. Some say simply using the encode functions (i.e. > real_mysql_encode()) is sufficient. Others say that these functions are so > old as to be broken and so should be avoided. So, I turn to the PLUG > people. What methods have YOU used with PHP that are intended to > block/prevent SQL injection attacks, and how well have they worked? > > > > At the moment, the little script set I'm writing never writes directly to > the file system, so preventing things like unauthorized > creation/modification/removal of files and such isn't an issue. But that > could come later. For now, my biggest vulnerabilities that I can see come > from two pages. One that lets you sign up for an account on the system, and > one that lets you change a forgotten password. I've got some security in > place as it stands, but I KNOW it could be a LOT better as it's just > something I threw together off my head without any serious concerns for > security until right at the end. The security for the DB itself is somewhat > decent, since the username that the pages use to login to the database is > only authorized to execute insert and update commands. So there's no chance > of dropping tables and/or individual records. But still, I know that with > some extra work I could make it a lot more secure. I just don't know which > of all sorts of arguments actually work in the real world these days. > > > > I appreciate any tips. And especially if you can post URLs that show what > you're talking about. :) > > > > Thanks folks! > --- Dan > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
