SQL Injection prevention Options

[max2474]

Hi. Have been reading a lot on SQL injection and it seems there are many ways to help prevent it. I am just wondering, would something like

CODE

$email=filter_var(mysql_real_escape_string($_POST[email]), FILTER_SANITIZE_EMAIL);

be enough? My understanding is that this will ensure there is a "@" sign with data either side, as well as removing the usual sql "baddies". If so, is there still a need to do long scripts for further checking?

Btw, is there anything wrong with combining two checks in one? The script is working fine at the mo.

I have many form variables to check, this is just one example.

Many thanks in advance

[max2474]

Thanks very much for your reply. The script is a v early stages yet, am just beginning the sql stage

This question is centered around a sign up / login script.

I have to admit, i have no idea what the difference between an sql escape or html escape may be...however -

IF the database is written with the output from this sequence (when a new member signs up for example) and later compared to his login (also from this sequence), as far as I can see, they will match up.

I guess the only real question is - would this suffice security wise for a member signup/login script?

This post has been edited by max2474: Feb 12 2012, 08:12 PM

[Christian J]

I guess the only real question is - would this suffice security wise for a member signup/login script?

Another thing you should do is encrypt all passwords (using salt). In addition, any "hardwired" passwords (such as the one for the DB itself) should be kept above the web root.

But I'm not the right person to advice on this...