Sample code:
$email = "" . $_POST['email'];
$con = mysql_connect("localhost","user","pass")
or die('Could not connect to database.');
mysql_select_db("face", $con);
// Sanitization step
$sanitemail = mysql_real_escape_string($email);
// Is this safe?
mysql_query("INSERT INTO landing_oct_2010 (email) VALUES ('$sanitemail');");
I’d like to know if, for this simple task, whether just using mysql_real_escape_string is fully sufficient to prevent at least injection style SQL attacks, or if there’s some other precaution I should take.
The fact that I’m collecting email addresses in this sample is incidental. If I know I’m working with email addresses, I would just throw in a regex and some DNS checks and there I’d have built in validation as well. However, I’d like to focus on the general problem at hand: is the single sanitation function enough?
Yes, it is sufficient. Well, sort of.
When used properly and consistently,
mysql_real_escape_stringshould be sufficient to prevent SQL injection. That function (unlikemysql_escape_string) takes the character set of your connection into account, so it should work for any site, as long as you actually communicate using the correct character set.However, in the past, bugs have existed in the escaping routine, which could potentially cause SQL injection to be possible anyway (given the right conditions).
A better choice is to use parameterized queries with the MySQLi library, since that makes escaping completely unnecessary. Parametereized queries basically work by separating the data from the query structure, which in turn means that it is impossible to do SQL injection. Implementation-wise, it’s also much harder for the database developers to have introduced a bug that allows SQL injection anyway, again because the query structure is given separately.