I could use some recommendations for how to make sure my PHP scripts are safe from malicious users. For example, I know this PHP statement will fail:
$result = mysql_query("select * from users where username='$name'", $db)
if $name has a quotation mark in it, like "Harold's". In fact, if someone submits a form where he types something into the name field like
whatever' or userid='123
then he could pervert the meaning of my SQL statement entirely. This is just a simple example, but I'm concerned that someone who's malicious and dedicated could find a way to do nasty things with SQL queries which simply incorporate input directly from form fields.
So what are some tips for how to avoid this? Is it possible in PHP to issue database queries in a way other than by putting together a string and handing it to mysql_query()?
(I could escape the data in the form values, like with mysql_read_escape_string(), but then it goes into the database escaped, right? And I don't want it to be escaped in the database itself...)
$result = mysql_query("select * from users where username='$name'", $db)
if $name has a quotation mark in it, like "Harold's". In fact, if someone submits a form where he types something into the name field like
whatever' or userid='123
then he could pervert the meaning of my SQL statement entirely. This is just a simple example, but I'm concerned that someone who's malicious and dedicated could find a way to do nasty things with SQL queries which simply incorporate input directly from form fields.
So what are some tips for how to avoid this? Is it possible in PHP to issue database queries in a way other than by putting together a string and handing it to mysql_query()?
(I could escape the data in the form values, like with mysql_read_escape_string(), but then it goes into the database escaped, right? And I don't want it to be escaped in the database itself...)
