Logician Posted November 6, 2011 Share Posted November 6, 2011 I have been working on a website for some time now. My work is now 95% finished and now I am starting to look at security, as I am using PHP. My webpage uses HTML FORMS. When most of these forms get send back to the server, 50% of the time PHP is inserting the value of the FORM inputs into MySQL. To give a basic run down, I have a newsletter sign up system. "Enter your e-mail address"... and then the user enters their e-mail and submits.. PHP runs a MySQL query to insert that FORM value into the database along the lines of this: insert into newsletters (email) values ('.$POST['email'].') I fear this is very vulnerable to injection attack as it means a trouble maker can come along and enter anything they want into my database, potentially wiping it out. I believe I need to "sanitize" my input with a MySQL "real_escape_string" or something? Is there anything real obvious I should look out for when it comes to PHP security? Is there a way to forbid all strings/arguments except the few I need or something perhaps? Quote Link to comment Share on other sites More sharing options...
trq Posted November 6, 2011 Share Posted November 6, 2011 Security is generally not something you should think about when your application is 95% complete, it should be thought about during the entire process. As for your question, see mysql_real_escape_string. Quote Link to comment Share on other sites More sharing options...
Logician Posted November 6, 2011 Author Share Posted November 6, 2011 Thanks for the information! I don't know what to make of the example given in that manual. $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); ?> What is %s? $user and $password are not defined? Do you know where I can find an example of where mysql_real_escape_string is used in my case?... so I can compare it with a process that is familiar to me. Quote Link to comment Share on other sites More sharing options...
trq Posted November 6, 2011 Share Posted November 6, 2011 The %s has nothing to do with mysql_real_escape_string, see sprintf Anyway, given your example in your first post. $email = mysql_real_escape_string($_POST['email']); $sql = "INSERT INTO newsletters (email) VALUES ('$email')"; Quote Link to comment Share on other sites More sharing options...
Logician Posted November 6, 2011 Author Share Posted November 6, 2011 Thorpe, thank you very much showing me that example! Its made things allot clearer! What I am going to do is use: query = 'insert into newsletters (email) values ('.mysql_real_escape_string($_POST['email']).')'; Would it be wise to use mysql_real_escape_string for all $_POST['']'s? The PHP manual said mysql_real_escape_string escapes special characters. So I am assuming that is everything but letters and numbers? Oh ow, will this also strip the @ symbol? Is there anything else you recommend I should look into with PHP security? Quote Link to comment Share on other sites More sharing options...
xyph Posted November 6, 2011 Share Posted November 6, 2011 Read the article in my signature. It's a great read and covers most of what you need to know. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.