Do you know the how to safeguard from MySQL injection? What exactly are weak points I ought to consider?

I understand what it's, however i genuinely have no clue how vulnerable I would be. Though I've taken (things i want to be) steps toward safeguarding myself and my database.

Can there be any sure-fire method of preventing someone?

BTW...I write in PHP:)

Trust nobody!

Sanitize all input -- filter_var() or regexes or in_array() of valid values or perhaps a mixed strategy based on datatype.

"Input" means any supply of input you don't directly control -- not only forms!

Sanitize whatever you return from $_GET, $_POST, $_SESSION, $_COOKIE -- something that might have any chance of being tainted.


Use prepared claims

You need to sanitize all input. How this can be done is dependent around the programming languaguage and/or framework you're dealing with.


If you work with php the function you're searching for is mysql_real_escape_string($string). You need to use that on all you receive in the client which should use the database.

If you are not utilizing a framework that gives you cleaning tools PHP includes a built-in string escaper, you can start there. You'll find the documentation on that within the PHP docs for mysql real escape string. Should you take a look at example three you'll obtain a good concept of the fundamentals you are able to follow.

Permanently I follow would be to make certain I cast variables where appropriate. For instance if I am expecting input from the user to become an integer I'll perform the following:

$age = (int)$age;

And if a column should be restricted to a couple of values (for instance a gender column) make certain you enforce that inside your PHP before putting it in to the database.

I personally use this PHP function on all input before I use it in almost any code (MySQL query, data display, etc.). It most likely is not complete, however it should stop all fundamental attempts at hacking the machine:

//$linkID is the link ID of the connection to the MySQL database
function clean_input($input)
    GLOBAL $linkID;
        //Remove slashes that were used to escape characters in post.
        $input = stripslashes($input);
    //Remove ALL HTML tags to prevent XSS and abuse of the system.
    $input = strip_tags($input);
    //Escape the string for insertion into a MySQL query, and return it.
    return mysql_real_escape_string($input,$linkID);

This might appear like easy, however i was tripped on it for some time.

There's a noticeable difference between encoding htmlentities() and getting away mysql_real_escape_string(). I believed of these as fairly interchangeable. However there not... as easy will explain. :) Usually it is best to apply both of them, for example first scribe, then escape.

When tugging the information out turn back process, unescape(as needed) then unencode. Note being specific in the manner the steps are carried out (and corrected) helps you to save lots of head aches and double-getting away worries.