25 Aug 2009

Injection Prevention – looping mysql_real_escape_string()

Main 1 Comment

Most of my sites I build use MySQL and PHP. Most of the sites are interactive and need input from users. This opens up a big security hole where hackers can use a simple ploy called a SQL Injection and insert some nasty code. In the blog post MySQL Tutorial – SQL Injection covers the mysql_real_escape_string() PHP command which helps reduce the risk.

Building on top of this a nice foreach loop will help with the process:

foreach ($_POST as $key => $value){
$_POST[$key]=mysql_real_escape_string($value);
}

or

foreach ($_GET as $key => $value){
$_GET[$key]=mysql_real_escape_string($value);
}

The above two snippets cycle through the sent data and escapes the escapes.

While this doesn’t 100% protect your site it sure helps.

One Response to “Injection Prevention – looping mysql_real_escape_string()”

  1. Reply
    PHP Password Salt and Pepper using sha1 MD5 Hash | Create My - eCommerce and Web Design Hornsby - eCommerces and Web Design Sydney says:
    October 16, 2009 at 1:46 am

    [...] The Create My solution was to make it just that little bit more annoying and complicated to reverse adding enough deterrents for the hackers just find the time to break the encoding just too annoying. Along with encoding the password in the database you need to add SQL injection protection measures. [...]

Leave a Reply