mysql_real_escape_string [us2.php.net] is the number one method of preventing sql injection, so you pretty much need to use it.

Also, aside from just escaping the string you may also want to make sure that it contains the information that you are looking for. You can use regular expressions to check the string for content.

try these threads from our PHP library [webmasterworld.com]

SQL Injection Vulnerability [webmasterworld.com]
PHP Security [webmasterworld.com]

Yeah, I've paged through that. Oddly, I've tried setting up sites made for doing the SQL injection described on many examples in that first thread, and can't get them to work! So, I was just looking for any additional ideas. It seems, though that everything boils down to 'error checking' and escaping.

>>>and can't get them to work!

If you have any code that you want us to look through then just post what's relevant.

>>>It seems, though that everything boils down to 'error checking' and escaping.

yup ;)

the main thing is to understand what characters/data you are going to accept and then denying all others and forcing the user to reinput

know what escape chars and special chars are used with the database you have

Thanks for the help. I have a few different sites that will need some validation. One needs numbers only (shouldn't be difficult) and the other should deny all special characters but the @ symbol (still not hard). Should be easy enough!

Is addslashes/stripslashes a sufficient substitute for mysql_real_escape_string or should mysql_real_escape_string still be employed?

If so, why?

[edited by: Stuperfied at 4:01 am (utc) on Dec. 4, 2006]

Why not just use magic_quotes?

Is addslashes/stripslashes a sufficient substitute for mysql_real_escape_string or should mysql_real_escape_string still be employed?

If so, why?

mysql_real_escape_string escapes \x00, \n, \r, \, ', " and \x1a. Addslashes escapes single quote ('), double quote ("), backslash (\) and NULL. If you are using MySQL, you should go with mysql_real_escape_string or mysql_escape_string.

Why not just use magic_quotes?

Read Why not to use Magic Quotes [us3.php.net]. PHP 5 disables it by default.

you should always use mysql_real_escape_string

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

as for magic_quotes

anything that changes input before you get to see it is a large problem

Is addslashes/stripslashes a sufficient substitute for mysql_real_escape_string or should mysql_real_escape_string still be employed?

as mentionned add slashes doesn't escape all the necessary characters, even after using it sql injection is still possible. used to have a link to an article somewhere but can't find it now, if you do a google search you may be able to find it

I have a lot of work ahead of me. :(

Anyone know of the best approach for modifying invision to use it?

Incase anyone is interested here is the addslashes security analysis I mentionned earlier

[shiflett.org ]