Results 1 to 4 of 4

Thread: PHP / Mysql security question

  1. #1

    PHP / Mysql security question

    This is pretty open ended, but generally, what do you guys do for mysql security? Will using "mysql_real_escape_string" do the trick or are there other holes to plug? For example, do I need to worry about certain characters like "--" or ";"?


    One piece of advice I received suggested only allowing strings into the database. If I have my table column labeled "VARCHAR" does this automatically make the conversion, or do I need to convert it with php before sending it to the database?


    What methods do you guys use? Any comprehensive resources you can point me towards?

    Thanks

  2. #2
    Hi, the easiest way is to use a database class, such as PDO, that has built in binding and cleans your sql variables. You can find out about PDO here: http://php.net/manual/en/book.pdo.php. Also the data type of a mysql field or any doesn't really have much effect on security because most time SQL is breached through SQL injections. The data type is more for optimization and speed. As far as converting it you don't have to implicitly set data with PHP unless it gets confused.

  3. #3
    PHP data will automatically get converted to the MySQL column type. So if you insert the integer 99 into a varchar column, it will become the string "99".

    Mysql_real_escape_string() on any of user supplied data is secure for the database. With it, there is no way to wipe out the whole database or bypass user authentication unless YOU yourself made a stupid mistake.

    Even though your database may be secured, your frontend site may not be. Always do XSS clean, strip_tag, and htmlspecialchar wherever necessary, on any data that you may in the future query and display back onto the browser verbatim.

  4. #4
    Thanks for looking at this guys. I'm going to look into these things this weekend, but it's nice to have some direction instead of just reading random tutorials.

    @neodreamer: "unless YOU yourself made a stupid mistake..."
    A very high likelihood of happening

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Home About kirupa.com Meet the Moderators Advertise

 Link to Us

 Credits

Copyright 1999 - 2012