2

Possible Duplicate:
Does mysql_real_escape_string() FULLY protect against SQL injection?

In my page I created a form and what I want to do is when posting the field value in php coding I want to use both the strip_tags and mysql_real_escap_string as :

$res = stript_tags(mysql_real_escape_string($_POST['name']));

Is the above coding correct for secure submission of input field names or it creates any problem when submission.

Improve this question
2
  • 1
    no problem will occur, you can use it....:) Commented Nov 28, 2012 at 12:16
  • 3
    You probably don't want to use strip_tags(), as for mysql_real_escape_string(), see here for more info Commented Nov 28, 2012 at 12:17

4 Answers 4

Reset to default
2

In itself, this should work just fine. But personally, I'd advise you not to use mysql_real_escape_string at all. I believe I'm right in thinking you're using the mysql_* extension, which is being deprecated. Do yourself a favour and switch to either PDO or mysqli_*, preferably PDO.

These are more modern extensions, that support prepared statments
see my answer here for a couple of links. Also, see Bobby tables on why prepared statements are a far safer bet than manually escaping data.

As @phant0m says: use of mysql_real_escape_string isn't full-proof (see the link in his comment). There's also a couple of pitfalls when using functions like strip_tags and especially stripslashes: when you're processing data, it's not unimaginable that, at some point, the data contains something like Foo\'s Bar, and, as the docs say:

If magic_quotes_sybase is on, no backslashes are stripped off but two apostrophes are replaced by one instead.

Try figuring out what the result of stripslashes(mysql_real_escape_string($data)); will be...

When using strip_tags, it's important to note that the allowable tags will keep their attributes, which may contain slashes, colons, semicolons, dashes, quotes and various other chars you wouldn't want to see messing up your query...
For more possible issues with strip_tags, have a look at this post

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'l go for PDO. Any sites for the complete PDO reference for developers. Thanks a lot for the useful answer
You might want to add a statement concerning the OP's use of strip_tags() to fully answer the question.
2

Firstly: the mysql_real_escape_string function will help prevent SQL injections (to a degree), but it is not the best way to go about securing your database. There are known vulnerabilities with the function when different connection charsets are not used properly and more importantly, the mysql functions are no longer recommended. To quote PHP.net:

Use of this extension is discouraged.

The best way to guard against SQL injections is to use prepared statements. To use prepared statements, you should switch to the PDO object or mysqli.

Secondly, you shouldn't really be using strip_tags on input. Why? Because if a user enters something inside tags, then you're going to experience a loss of data integrity. Personally, I think that strip_tags should only be used on output. i.e. when you're displaying user-entered data.

Thirdly, strip_tags won't guard against all XSS attacks. Personally, for guarding against XSS; I'd go for something like:

echo htmlspecialchars($stringToOutput, ENT_QUOTES, 'UTF-8');

htmlspecialchars will convert all special characters to their relevant HTML entities.

Improve this answer

Comments

1

You should consider using some framework for that instead of doing it manually. Take a look at Zend_Db or PDO(read prepared statements).

An example with PDO:

$dsn = 'mysql:dbname=testdb;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';
try {
    $dbh = new PDO($dsn, $user, $password);
} catch (PDOException $e) {
    echo 'Connection failed: ' . $e->getMessage();
}
$st = $dbh->prepare( '
    INSERT INTO fruits( name, colour )
    VALUES( :name, ":colour" )
';
$st->execute( array( ':name' => 'Apple', ':colour' => 'red' ) );
Improve this answer

Comments

1

The code you posted will work. However, it is better to escape the string at the latest moment possible. This will keep your variables clean, since you don't want to work with escaped strings before the actual query.

An example:

$query = "SELECT * FROM tablename WHERE column1 = '". mysql_real_escape_string($_POST['name']) ."'";

Also note that mysql_* functions are not maintained anymore - you could use mysqli_* instead, but the best way is to use prepared statements with PDO

Improve this answer

2 Comments

mysql_* are not deprecated, just not maintained anymore - they'll be deprecated in the next major release (hopefully). Also: I'd suggest using PDO instead of mysqli_* simply because mysqli_* still allows for old-school procedural coding (which is what we're trying to get away from) and PDO offers an array of drivers, for DB's other than MySQL... so it's more future-proof
@EliasVanOotegem Thanks for your input! I edited the answer accordingly.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.