New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
mysql_real_escape_string or strip_tags - Which is more Secure
fresher_06
Member
Hi All ,
I am using the below function named it as "protect" and passing every POST variable through it before using it in my PHP script.
function protect($string){ $string = trim(strip_tags(addslashes($string))); return $string;
And then using it as below --
$Customer_id = protect($_POST['cust_id']);
My question is which is more secure , the below mysql_real_escape_string or the above protect function--
$Customer_id = mysql_real_escape_string($_POST['cust_id']);
In both the cases I am going to use the $Customer_id in the MySql query, so just worried about which one us more secure Injection wise.
Thanks
Comments
If $Customer_id is supposed to be an integer, you should use $Customer_id = filter_var($_POST['cust_id'], FILTER_VALIDATE_INT);
Edit: And use PDO for your queries! mysql_* is depreciated.
@NickM , if it is not an integer , then what should I use .. does mysql_real_escape_string is still secure.
And I d understand that I need to change whole of my application as an PDO ,but have to live with mysql_* as of now.
Bad, bad, bad. Very very bad.
@fresher_06
@joepie91
In SQL you use quotes to "jail" a variable.
Neither of all functions mentioned are good, only addslashes is.
Addslashes makes sure that SQL inject skiddies can't "escape" the jail.
@joepie91
Neither of all functions mentioned are good, only addslashes is.
Addslashes makes sure that SQL inject skiddies can't "escape" the jail.
You're trolling, right?
Please tell me you're trolling.
@joepie91
This is the only thing you have to do against SQL injection.
I do believe the OP wants validate that, look the number up in the database or if that is the case check if it's a number.
None, use PDO.
I do believe the OP wants validate that, look the number up in the database or if that is the case check if it's a number.
I am just going to assume you're not trolling, for the sake of not letting misinfo spread on about this.
If you believe addslashes is 'the right way to do things' (EDIT: and you don't bother to look up what other people mention), you are a complete retard.
I'm not even going to bother trying to explain why (I've done that plenty of times, feel free to look up my past thread on this topic) - it suffices to say that the only valid methods to secure your shit are to use PDO for database interaction, and to use either htmlspecialchars or striptags on output, depending on what the desired result is.
@joepie91 .I do understand that I should be using the PDO , learnt my lesson, will try to rewrite my whole application in PDO but as of now I have to live to mysql_* and trying to find out the best way to safeguard against Injection ..
My understanding till now --
1) Use filter_var($_POST['cust_id'], FILTER_VALIDATE_INT); -- if I expect an Integer as an Input
2) For Non integer as an input -- not sure yet
3) mysql_real_escape_string -- not sure in exactly what condition should I use it.
Thanks
@joepie91
I am not a retard...
But when somebody mentions "security" in SQL queries then I think of injection.
So basically you just want to see if the input it clean, use a regex or simular or use database entries.
If you're forced to use the mysql_* functions, then mysql_real_escape_string should do the trick for strings.
@fresher_06
That's an excellent way of doing it!
You should always use when the end user can enter its own string.
Then stop acting like one.
Which is why you use PDO because SQLi is not a possibility there. It helps if you actually read up on what people say instead of just assuming your solution is better.
This makes no sense at all. You should probably explain what you mean more clearly.
You are aware that @BronzeByte talked about how he DDoSses iWipo in another thread, right?
@gsrdgrdghd
How is that relevant?
Neither of all functions mentioned are good, only addslashes is.
Addslashes makes sure that SQL inject skiddies can't "escape" the jail.
LOL
Can anyone tell me what is the pros and cons of PDO vs MySQLi?
Mostly, PDO is database-independent - you can use the same code (or well, that goes for all the generic stuff and prepared queries) for every kind of database, by just modifying the 'connection string'. Additionally, I'm not sure if MySQLi does prepared/parameterized queries.
It does, but it doesn't allow you to use named parameters.
If not PDO, then MySQLi (improved, which oddly isn't turned on by default in most cpanel/whm installations).