SQL Injection prevention |
SQL Injection prevention |
max2474 |
Feb 11 2012, 09:20 PM
Post
#1
|
Group: Members Posts: 5 Joined: 10-February 12 Member No.: 16,443 |
Hi. Have been reading a lot on SQL injection and it seems there are many ways to help prevent it. I am just wondering, would something like
CODE $email=filter_var(mysql_real_escape_string($_POST[email]), FILTER_SANITIZE_EMAIL); be enough? My understanding is that this will ensure there is a "@" sign with data either side, as well as removing the usual sql "baddies". If so, is there still a need to do long scripts for further checking?Btw, is there anything wrong with combining two checks in one? The script is working fine at the mo. I have many form variables to check, this is just one example. Many thanks in advance |
max2474 |
Feb 12 2012, 08:11 PM
Post
#2
|
Group: Members Posts: 5 Joined: 10-February 12 Member No.: 16,443 |
Thanks very much for your reply. The script is a v early stages yet, am just beginning the sql stage
This question is centered around a sign up / login script. I have to admit, i have no idea what the difference between an sql escape or html escape may be...however - IF the database is written with the output from this sequence (when a new member signs up for example) and later compared to his login (also from this sequence), as far as I can see, they will match up. I guess the only real question is - would this suffice security wise for a member signup/login script? This post has been edited by max2474: Feb 12 2012, 08:12 PM |
Christian J |
Feb 13 2012, 11:19 AM
Post
#3
|
. Group: WDG Moderators Posts: 9,650 Joined: 10-August 06 Member No.: 7 |
I guess the only real question is - would this suffice security wise for a member signup/login script? Another thing you should do is encrypt all passwords (using salt). In addition, any "hardwired" passwords (such as the one for the DB itself) should be kept above the web root. But I'm not the right person to advice on this... |
Lo-Fi Version | Time is now: 17th April 2024 - 07:26 PM |