Programming Forums - PHP & Mysql injection in phplist

Programming Forums (http://www.programmingforums.org/forumindex.php)

- PHP (http://www.programmingforums.org/forum29.html)

- - PHP & Mysql injection in phplist (http://www.programmingforums.org/showthread.php?t=11824)

ktsirig

Nov 7th, 2006 1:36 PM

PHP & Mysql injection in phplist

Hello all,
I want to secure a page which uses the script of "phplist". Basically this script stores username, name, surname, email etc of users in order for the company to send newsletters to their clients.
Except from stripping slashes,backslashes etc or special characters, are there any other ways to prevent the data stored in the db from somenone that wants to "lay their hands" on them?

Thank you!

Jimbo

Nov 7th, 2006 1:52 PM

You should probably use mysql_real_escape_string() and that should mostly cover you from user input.

kruptof

Nov 7th, 2006 3:35 PM

i think there alot of ways to do this...........you could check if they person has actually come from the page that you wanted them to come from....also you could check if(get_magic_quotes_gpc()) is set and if yes then i think you should use strip slashes, then use mysql_real_escape_string, just try to make the perpetrators life a bit harder.

jsilver608

Nov 10th, 2006 3:06 AM

You may want to use someting like the ADO mysql framework, which allows prepared statements (these can also be more optimized in some situations).

codetaino

Nov 10th, 2006 8:36 AM

This page gives hints of security issues with php and sql... hope it helps

http://www.sitepoint.com/article/php-security-blunders

All times are GMT -5. The time now is 1:31 AM.