I have secure site with a login before anyone can enter the site and submit any form data. Is this secure enough from SQL injection?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have secure site with a login before anyone can enter the site and submit any form data. Is this secure enough from SQL injection?
NO
SQL Injection has nothing to do with authentication; it has to do with the way you sanitize user input. In other words, a user with perfectly good credentials may have bad intention and decide that he’d want to try and drop your database by entering malicious text on some of your form’s fields.
On PHP, you can use
mysql_real_escape_string()to sanitize your input and form your SQL statements via string concatenation but if you can implement prepared statements (also known as parametrized queries) much better since your query plans may be reused and you gain a performance boost as well.