0

mysql_real_escape_string is used for SQL statements. Is it enough for database security alone? For example with get_magic_quotes_gpc() we have use stripslashes. Is there any issue that we have to know about using other function with mysql_real_escape_string ? Thanks in advance

TheNone
  • 5,684
  • 13
  • 57
  • 98

3 Answers3

3

If you want to have a more secure database, simply escaping a string is not enough. This will definitely help in regards to SQL injection attacks, but there are a host of other methods to compromise a database.

Some pointers:

  1. Practice "least privilege" in that the users and accounts that are GRANTed access to your database should have the minimum privileges to complete their tasks and nothing else.
  2. Make sure your passwords are difficult to guess (composed of letters both lower and upper, numbers, symbols, etc.) and changed regularly.
  3. Don't save credit card numbers unless absolutely necessary (assuming you're running a commercial site).
  4. Hash and possibly salt your passwords before storing them in your database if you'll have user accounts
  5. Check and double-check port numbers (3306 for MySQL) and permissions on files and directories, especially if users are uploading files

These are generally good practice and you should be aware of issues for databases outside the scope of just SQL injection attacks.

SHC
  • 292
  • 2
  • 8
  • @SHC; Is this means that we have only 50%-60% security in php? – TheNone Jun 26 '10 at 08:57
  • in regards to SQL injection attacks, escaping itself will help nothing – Your Common Sense Jun 26 '10 at 09:26
  • got any real life example of "least privilege" practice? – Your Common Sense Jun 26 '10 at 09:29
  • "in regards to SQL injection attacks, escaping itself will help nothing" And what is the solution for SQL injection attacks ? – TheNone Jun 26 '10 at 09:45
  • add quotation marks around escaped data at least. And devise something else when you can't – Your Common Sense Jun 26 '10 at 09:51
  • A simple example of "least privilege" is to prevent PHP code from logging into a database as root. Instead, you should create a new user that is only allowed to INSERT, UPDATE, SELECT, and DELETE on a set of tables or possibly even just columns for a database. You don't want to give this user the power to drop tables, databases, etc.; you only want to give the minimum set of privileges required to complete a task and nothing else. – SHC Jun 27 '10 at 10:40
2

not really. SQL statements are different. for some of them it helps, for others - not.

I've answered that question recently: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

Hope it can give you the full picture, but you are welcome to ask if something is unclear.

Note that get_magic_quotes_gpc() and stripslashes are NOT database issue. It's just input data validation thing, and it has nothing to do with SQL

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
0

1)turn off magic_quotes_gpc
2)Is it enough with mysql_real_escape_string()

codez
  • 1,381
  • 1
  • 18
  • 28