-1

Is this way secured to insert data to DB ?

$var = mysql_real_escape_string(htmlspecialchars(stripcslashes($_POST["address"]), ENT_QUOTES, "ISO-8859-1"));
AstroCB
  • 12,337
  • 20
  • 57
  • 73
Mafitsi
  • 97
  • 1
  • 1
  • 3
  • 1
    no. it's not. you're using an obsolete DB library. You're trashing your data by specialchars/stripslashes on it as well. – Marc B Jul 08 '13 at 04:05
  • 1
    There is no "silver bullet". But arguably one of the most effective ways to guard against SQL injection is to use prepared statements: http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html – paulsm4 Jul 08 '13 at 04:05
  • possible duplicate of [How to prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php) – Marc B Jul 08 '13 at 04:05
  • In this answer > http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php The second answer said: > //Connect $unsafe_variable = $_POST["user-input"] $safe_variable = mysql_real_escape_string($unsafe_variable); mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')"); //Disconnect that means i need to use $var = mysql_real_escape_string($_POST["address"]); only ? and to print like this echo htmlspecialchars($row['address']); **OPD** is an advanced option, i'm a newbie, don't really understand. – Mafitsi Jul 08 '13 at 07:19
  • magic quotes is enabled, can i use like this ? $var = mysql_real_escape_string(stripcslashes($_POST["address"])); – Mafitsi Jul 08 '13 at 08:46

1 Answers1

2

There is no "silver bullet".

But arguably one of the most effective ways to guard against SQL injection is to use prepared statements:

http://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html

Another, equally effective defense is to use the most modern, secure mySql APIs available: either mySqli (object-oriented) or PDO SQL:

http://php.net/manual/en/mysqlinfo.api.choosing.php

Here is a link good link regarding SQL Injection, and how you can mitigate risks in your mySql code:

http://php.net/manual/en/security.database.sql-injection.php

Two guidelines I would strongly urge you to follow:

1) You should NOT use the old, deprecated mySql API for any new code. Use MySQLi or PDO instead.

2) You should NOT allow raw user input anywhere near a SQL statement. Carefully validate your input, and use prepared statements whenever possible.

IMHO...

paulsm4
  • 114,292
  • 17
  • 138
  • 190
  • The question was directed at XSS as well, where I would just add to use htmlspecialchars when you outputting from a DB, not when you are inserting it – cyber-guard Jul 08 '13 at 08:39