mysql_real_escape_string is used for SQL statements. Is it enough for database security alone? For example with get_magic_quotes_gpc() we have use stripslashes. Is there any issue that we have to know about using other function with mysql_real_escape_string ?
Thanks in advance
views:
64answers:
3
+2
A:
not really. SQL statements are different. for some of them it helps, for others - not.
I've answered that question recently: http://stackoverflow.com/questions/2993027/in-php-when-submitting-strings-to-the-db-should-i-take-care-of-illegal-characters/2995163#2995163
Hope it can give you the full picture, but you are welcome to ask if something is unclear.
Note that get_magic_quotes_gpc() and stripslashes are NOT database issue. It's just input data validation thing, and it has nothing to do with SQL
Col. Shrapnel
2010-06-26 08:22:04
A:
1)turn off magic_quotes_gpc
2)Is it enough with mysql_real_escape_string()
codez
2010-06-26 08:24:19
+3
A:
If you want to have a more secure database, simply escaping a string is not enough. This will definitely help in regards to SQL injection attacks, but there are a host of other methods to compromise a database.
Some pointers:
- Practice "least privilege" in that the users and accounts that are GRANTed access to your database should have the minimum privileges to complete their tasks and nothing else.
- Make sure your passwords are difficult to guess (composed of letters both lower and upper, numbers, symbols, etc.) and changed regularly.
- Don't save credit card numbers unless absolutely necessary (assuming you're running a commercial site).
- Hash and possibly salt your passwords before storing them in your database if you'll have user accounts
- Check and double-check port numbers (3306 for MySQL) and permissions on files and directories, especially if users are uploading files
These are generally good practice and you should be aware of issues for databases outside the scope of just SQL injection attacks.
SHC
2010-06-26 08:28:25
@SHC; Is this means that we have only 50%-60% security in php?
phpExe
2010-06-26 08:57:07
in regards to SQL injection attacks, escaping itself will help nothing
Col. Shrapnel
2010-06-26 09:26:40
got any real life example of "least privilege" practice?
Col. Shrapnel
2010-06-26 09:29:26
"in regards to SQL injection attacks, escaping itself will help nothing" And what is the solution for SQL injection attacks ?
phpExe
2010-06-26 09:45:56
add quotation marks around escaped data at least. And devise something else when you can't
Col. Shrapnel
2010-06-26 09:51:32
@Col. Shrapnel, you are right ;)
phpExe
2010-06-26 09:57:51
A simple example of "least privilege" is to prevent PHP code from logging into a database as root. Instead, you should create a new user that is only allowed to INSERT, UPDATE, SELECT, and DELETE on a set of tables or possibly even just columns for a database. You don't want to give this user the power to drop tables, databases, etc.; you only want to give the minimum set of privileges required to complete a task and nothing else.
SHC
2010-06-27 10:40:31