0

I have a member only part of my site and I'm using a form for me as the only user to update a database.

The first thing that happens on the PHP-based form processing page is something along these lines...

if($_SESSION['member_id'] != 1){
   exit;
} else {
   //post stuff to db.
}

So, basically if your member_id isn't 1, then the script stops.

One piece of data I'll be posting is a string that may contain quotes.

Question: In this environment, can I simply use addslashes() for the string that may contain quotes and feel reasonably safe that I won't do something unintentionally bad to my database?

Thanks.

gtilflm
  • 1,389
  • 1
  • 21
  • 51
  • 1
    when querying a database, it's best to use prepared statements and guard again session hijacking and XSS exploits. – Funk Forty Niner Jun 10 '15 at 01:30
  • Check out [examples of sql injections through addslashes](http://stackoverflow.com/questions/860954/examples-of-sql-injections-through-addslashes); as you [can steal someone's SESSION](http://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables) – LinkBerest Jun 10 '15 at 01:31
  • @Fred-ii-: Are "prepared statements" the same as "PDO"? Any other security concerns with what I've laid out? – gtilflm Jun 10 '15 at 01:54
  • It comes in 2 flavours; for mysqli http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php and for PDO http://php.net/pdo.prepared-statements that's assuming using MySQL. – Funk Forty Niner Jun 10 '15 at 02:02

0 Answers0