2

I'm fairly new to PHP but have been familiar with StackOverflow for a while.

I have recently been reading about appropriate times to use mysql_real_escape_string and would appreciate any advice on the following.

Is using mysql_real_escape_string once, on the initial $_POST variable enough to secure the string through the script?

For example:

$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$email = mysql_real_escape_string($_POST["email"]);
$repeat_password = mysql_real_escape_string($_POST["repeat_password"]);

I declare these values before running a bunch of if statements and finally once the if statements are finished I make an INSERT into the mysql database:

mysql_query("INSERT INTO users (username, password, email, signup_date) VALUES ('$username', '$password', '$email', CURDATE())") or die(mysql_error());

mysql_real_escape_string is not used anywhere else throughout the if statements - is this safe enough for a rookie to use whilst still maintaining some injection protection?

Improve this question
5
  • mysql_real_escape_string is used for escaping text strings Commented Apr 24, 2014 at 23:42
  • You should switch to pdo Commented Apr 24, 2014 at 23:42
  • hmm. I was under the impression that I had a decent idea of what it did - I guess I need to carry on my studies! Commented Apr 24, 2014 at 23:44
  • You shouldn't store the password. If you can't avoid it, salt it with a large random salt, hash it with a decent algorithm that doesn't have large rainbowtables available. Commented Apr 25, 2014 at 0:03
  • 2
    Very good that you are aware of injection.. But why doesn't the canonical question answer your question? Commented Apr 25, 2014 at 0:06

3 Answers 3

Reset to default
1

No, this is not safe. You should switch to prepared statements.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

While I agree that prepared statements are better, can you give an example of where his example could possibly fail?
Aside from the mysqli / pdo endorsement, @user3570991 should not store password in plain text.
@Mark: stackoverflow.com/questions/5741187/…
I'm aware of password encryption - I'm just trying to gain an understanding of the more in depth protection on this basic script before I continue to learn more about php
1

While mysql_real_escape_string() may (currently) protect you from SQL injection its deprecated so you should not you the mysql_* functions anyway, in future versions of PHP It will be removed rending your code useless.

Why drive a bashed up old ford fiesta when you have the keys to a shiny new Lamborghini?

Don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Improve this answer

1 Comment

NB: One needs to be very careful to use mysql_real_escape_string() correctly in order to benefit from the protection it offers. It's possible to be lulled into a false sense of security. See SQL injection that gets around mysql_real_escape_string().
0

Try a prepared statement:

$stmt = $con->prepare("INSERT INTO users (`username`, `password`, `email`, `signup_date`) VALUES (?, ?, ?, ?)");
$stmt->bind_param($username,$password,$email,CURDATE());
$stmt->execute();
$stmt->close();
Improve this answer

1 Comment

Note $con needs to be a string for connecting to your mysql server.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.