Security

Question

Security

Possible duplicate:
Best way to prevent SQL injection in PHP

Is this code sufficiently protected against SQL injection

if(isset($_POST['Submit'])) { $user = mysql_real_escape_string($_POST["user"]); $pass = mysql_real_escape_string($_POST["pass"]); $confirm_key=md5(uniqid(rand())); $query = mysql_query("INSERT INTO members (user, pass, mail, confirm_key, country, city, www, credo) VALUES ('$user','$pass','$_POST[mail]','$confirm_key','$_POST[country]','$_POST[city]','$_POST[www]','$_POST[credo]')") or die ("Error during INSERT INTO members: " . mysql_error()); exit(); }

Is this correct and every entrance must be protected (for example, country, city ...)?

+4

mysql sql-injection

Alegro Aug 2 '12 at 20:54

source share

2 answers

http://php.net/manual/en/function.mysql-real-escape-string.php

Even php docs say don't use mysql_real_escape_string

+1

rk2z Aug 2 '12 at 21:01

source share

tadman · Accepted Answer · 2012-08-02T20:57:45+0000

DO NOT USE mysql_query for new applications. You must use mysqli or PDO to do your escaping with placeholders. There are many examples you can use.

Typically, your SQL should look like this:

 INSERT INTO `table` (column) VALUES (?)

It SHOULD NOT look like this:

 INSERT INTO `table` (column) VALUES('$dangerous_user_content')

If you use placeholders correctly, it's almost impossible to create an SQL injection hole.

Security

More articles: