| Re: PHP mysql_excape but need to search for those items [message #178360 is a reply to message #178358] |
Mon, 11 June 2012 16:38   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/11/2012 11:34 AM, mrgushi wrote:
> Hey Guys,
> First time poster here. I'm working on an App that needs to be able to
> querry my DB via PHP in particular those items such as periods commas
> slashes and things that mysql_real_escape_string cleans out to prevent
> SQL injection attacks. How would you recommend doing that securely? My
> SQL login rights in the script are read only is that enough?
>
> I was thinking of using JS to modify the querry before they hit the
> mysql_real_escape_string such that I have a custom DB lookup for each
> major punctuation... A period = punc1 A comma = punc2 etc.... Any
> Alternate thoughts would be appreciated.
> THX
>
> PS- My app is a English Translation guide to Braille so I need to be
> able to lookup punctuation in the DB somehow.
No, it is not sufficient to make your SQL login rights read only. That
will prevent SQL injection from changing your database, but not
something like dumping the database.
You should use mysql_real_escape_string() in the WHERE clause, also. In
fact, you should use it any time you are dealing with character data in
the database - not only just INSERT or UPDATE operations.
You can use prepared statements also (some people prefer them), but that
is also additional work.
And NEVER depend on JS or anything else client-side!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]