Wednesday, 1 August 2012

PHP Security - mysql_real_escape_string()

Hi everyone!!

        mysql_real_escape_string( ) is a function that is used to secure pages that involve database storage and retrieval later on. It is effective against attacks like SQL injections.

$name = mysql_real_escape_string($_POST('name'));

here $_POST('name') is input from form element.

It may be used in in combination with more functions to reinforce the security as follows:

$name=mysql_real_escape_string(stripslashes(trim($_POST["name"])));



      It is used before executing the insert or update query in mysql. Its main function is to skip all the special characters that can alter a query during SQL injections and such attacks. So to keep your website safe, it is a must do step.

        A point worth paying attention is that inputs that essentially require special characters are to be dealt carefully. Try to make inputs alphanumeric whenever possible.

No comments:

Post a Comment