Yep, this. Use prepared statements, and absolutely avoid hand-building
your queries.
I'm not sure why people would say that mysql_real_escape_string() was
dangerous though. It was literally the escape function from the MySQL
library, so I find it a bit difficult to believe it was 'out of date and
broken'. Still, it's the poorer choice, and the function-based methods
are going away anyway.
On 5/27/2014 7:35 AM, Brian J. Rogers wrote:
The mysql_* functions are being deprecated. So the recommendation is to use
PDO. PDO's prepared statements will help sanitize your input, because even
on an update/insert, a malicious user can still wreck havoc.
Here is a slightly older article on it:
https://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059
On Tue, May 27, 2014 at 5:12 AM, Dan Egli <[email protected]> wrote:
I'm sure this one will open a kettle of worms, but here goes anyway. I've
seen all sorts of chatter about the best way to prevent SQL injection
attacks in PHP pages. Some say simply using the encode functions (i.e.
real_mysql_encode()) is sufficient. Others say that these functions are so
old as to be broken and so should be avoided. So, I turn to the PLUG
people. What methods have YOU used with PHP that are intended to
block/prevent SQL injection attacks, and how well have they worked?
At the moment, the little script set I'm writing never writes directly to
the file system, so preventing things like unauthorized
creation/modification/removal of files and such isn't an issue. But that
could come later. For now, my biggest vulnerabilities that I can see come
from two pages. One that lets you sign up for an account on the system, and
one that lets you change a forgotten password. I've got some security in
place as it stands, but I KNOW it could be a LOT better as it's just
something I threw together off my head without any serious concerns for
security until right at the end. The security for the DB itself is somewhat
decent, since the username that the pages use to login to the database is
only authorized to execute insert and update commands. So there's no chance
of dropping tables and/or individual records. But still, I know that with
some extra work I could make it a lot more secure. I just don't know which
of all sorts of arguments actually work in the real world these days.
I appreciate any tips. And especially if you can post URLs that show what
you're talking about. :)
Thanks folks!
--- Dan
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
--
Matthew Walker HAM Call Sign: N7TOX
Kydance Hosting & Consulting, Inc. - http://www.kydance.net/
PHP, Perl, and Web Development - Linux Server Administration
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
