brotherhood_of_LAN - 2:55 am on Nov 8, 2012 (gmt 0)
Yes, anything that comes from the client side *has* to be checked to prevent SQL injections
- Check whether a variable exists
- If it's meant to be a number, check it's a number. I like to avoid quoting numbers going into a DB, so I always remember to check.
- Use real_escape_string on all other variables
From the compromises of user details I come across, it's almost always an SQL injection.
As an aside, I use a MySQL UDF that allows me to execute shell commands inside procedures. Highly dangerous if you consider the potential of injections there... but if you're thorough in avoiding unchecked user supplied variables roaming freely through scripts, then there's nothing to worry about on that front.