| Re: PHP mysql_excape but need to search for those items [message #178359 is a reply to message #178358] |
Mon, 11 June 2012 15:54   |
Arno Welzel
Messages: 317
Registered: October 2011
Karma:
|
Senior Member |
|
|
Am 11.06.2012 17:34, schrieb mrgushi:
> First time poster here. I'm working on an App that needs to be able to
> querry my DB via PHP in particular those items such as periods commas
> slashes and things that mysql_real_escape_string cleans out to prevent
> SQL injection attacks. How would you recommend doing that securely? My
> SQL login rights in the script are read only is that enough?
Consider using prepared statements - the query contains placeholders for
the parameters and all input from outside is used as parameters and is
never directly inserted into the statement.
> I was thinking of using JS to modify the querry before they hit the
> mysql_real_escape_string such that I have a custom DB lookup for each
> major punctuation... A period = punc1 A comma = punc2 etc.... Any
An attacker can just turn off JS or use tools like curl or wget to send
HTTP requests. So - always make sure, you server side code is secure and
does not rely on client side scripting.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]