0

I'm not familiar with sql injection and I wanna know if there is any invulnerability in my script, if there is please point it out and give me some tip to fix it.

<?php
include("config.php");
?>

<?php
$desc = $_POST['desc'];
$desc = mysql_real_escape_string($desc);
$author = $_POST['author'];
$date = date("d/M/Y");
mysql_query("INSERT INTO `changelog`(`author`, `date`, `description`) VALUES ('{$author}','{$date}','$desc')") or die(mysql_error());
include("success.php");
?>
Danny Beckett
  • 20,529
  • 24
  • 107
  • 134
Yanir
  • 17
  • 3
  • -1. StackOverflow is neither for judging someone's code, nor for finding errors or security problems in people's code. We can answer questions though. – Hidde Jul 21 '13 at 22:45
  • 1
    Yes, [**Don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – Lawrence Cherone Jul 21 '13 at 22:50

2 Answers2

1

Yes there is. You are solely relying on mysql_real_escape_string which has been deprecated. Furthermore you should build some of your own logic tests based on a range of input that you are expecting. You might want to use RegExp or some other trimming functions but don't rely just on mysql_real_escape_string.

Phillip Berger
  • 2,317
  • 1
  • 11
  • 30
0

You should write some logic to test the data you are expecting.

You can check out http://php.net/manual/en/security.database.sql-injection.php for more information on preventing SQL Injections.

newtonrd
  • 2,295
  • 1
  • 12
  • 11