I've got a form with lots of fields...
The experience is placed to some php page which queries mysql...
Must I sanitize with
mysql_real_escape_string each and every variable?
Or can one ignore cleaning drop-lists and radios for example?
mysql_real_escape_string, what else must i do in order to prevent attacks?
You should check chooses and radio buttons too. Anybody can make their very own HTML form and publish it for your script. The Opera extension Webmaster Plugin even comes with an choice to convert chooses to text inputs.
You may also make sure that the published data only consists of correct values. For instance, for those who have an invisible button, make certain the published form only contain among the valid values.
You need to obviously only run mysql_real_escape_string on variables that you will put in MySQL. If saving to file for, using around the commandline or anything other, you will find more apropriate functions and solutions.
Generally it's trivial to create a Publish request outdoors from the browser and thus bypass any limitations the drop lower list (for instance) might have enforced on possible values.
Due to this it is best to treat user data as hostile and error-prone and set just as much validation and protection around the server-side as you possibly can.
Another couple of ignorant solutions. Camran, you are bringing in it like magnet.
You need to realize that mysql_real_escape_string is not to complete with forms and radios, with checking and cleaning.
And it doesn't prevent attacks.
It's basically a string getting away function. It escapes an information that likely to be placed into SQL query string like a string data.
SQL query is a touch program. With it's own syntax. You must follow that syntax, not due to "attacks" but due to it is simply a syntax. And, obviously, these rules don't rely on the origin of information! Radio button, html form or browser - all does not matter!
And delay pills work just with strings. Avoid amounts nor identifiers.
Here's my answer regarding how to handle an SQL query: http://stackoverflow.com/questions/2993027/in-php-when-submitting-strings-to-the-db-should-i-take-care-of-illegal-characters/2995163#2995163
Any variable sent in the client can not be consider as safe and valid. If you work with them in query it is best to sanitize them.
You just sanitize the fields you don't want an assailant to hijack. The information could be form any source, not only your page.
mysql_real_escape_string will work for any value which will concatenated right into a query, however i "sanitize" everything. In my experience, "sanitize" means a lot more than handling injection attacks, it offers any area validation too (sting length, number, valid date, empty, etc).
This is a derived table approach that may avoid SQL Injection http://beyondrelational.com/blogs/madhivanan/archive/2010/05/14/derived-table-new-approach-to-avoid-sql-injection.aspx