Sample code:
$email = "" . $_POST['email'];
$con = mysql_connect("localhost","user","pass")
or die('Could not connect to database.');
mysql_select_db("face", $con);
// Sanitization step
$sanitemail = mysql_real_escape_string($email);
// Is this safe?
mysql_query("INSERT INTO landing_oct_2010 (email) VALUES ('$sanitemail');");
I'd like to know if, for this simple task, whether just using mysql_real_escape_string
is fully sufficient to prevent at least injection style SQL attacks, or if there's some other precaution I should take.
The fact that I'm collecting email addresses in this sample is incidental. If I know I'm working with email addresses, I would just throw in a regex and some DNS checks and there I'd have built in validation as well. However, I'd like to focus on the general problem at hand: is the single sanitation function enough?