homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

Protecting against SQL Injection Attacks & the like

 8:51 pm on Feb 8, 2010 (gmt 0)


I'm building a site in PHP & MySQL. I'm looking for what I need to do in order to protect the site from sql injection and other attacks.

Its on a shared hosting account, and unfortunately there doesn't seem to be any support for "mysqli_connect" (which seems to offer the best protection from what I've read so far).

Aside from placing "strip_tags()" around all POST & GET requests, are there other things I can do?




 9:02 pm on Feb 8, 2010 (gmt 0)

E.g. currently I'm doing:


Should I also be doing a str_replace for words like "SELECT" etc?


 9:22 pm on Feb 8, 2010 (gmt 0)

Hi TravelSite,

This thread in our library may help:



 9:36 pm on Feb 8, 2010 (gmt 0)

Aside from the useful thread linked above... The most straightforward way of doing it is to implement the PHP mySQPL "escape" function to any user input that is going to touch the database. Such as follows:

$firstname = mysql_real_escape_string($_REQUEST['firstname']);
//then use var 'firstname' where needed; etc

The reason I say most straightforward is that it will escape any characters that could cause harm. However, my understanding is that this is not 100% secure; but that it is significantly more secure than doing "add slashes" or "strip tags".

If you wish to "strip tags", I would do so... but after "real escape" is run on it first.

To be even safer, I usually run a regular expression against the input to automatically trash any unknown or unexpected characters. For example, if I'm asking for an 'age' and know that it should be returned as a number, I'll run a reg. exp. against it to strip out any non-numeric characters... and then use this result in the scripting (to validate, to put in DB, etc). This combined with the "real escape" function helps to stem injection by properly escaping and properly controlling input.


 10:18 pm on Feb 8, 2010 (gmt 0)

Hi dreamcatcher & CyBerAliEn,

- Thanks for the info. I've started changing things to use mysql_real_escape_string, all will read through the rest of it shortly.


Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved