MySQL is great, especially for storing large amounts of data such as users, event logs, and tables for forms or CMS systems. There is one big problem though that faces PHP/MySQL developers: MySQL injection. Hackers usually try something like a username and password of ' a='a'. This is a MySQLer's worst enemy. But there are ways to prevent against this. Some common functions used are strip_slashes() and mysql_real_escape_string(). They provide an extra and pretty sufficient layer of security to MySQL queries. There is something interesting to note. Most variables are inserted into MySQL queries like this "SELECT * FROM test WHERE test='$var'". Note the variable is not included like ".$var." but is actually included inline between the quotes. So wouldn't it be a simple fact to say that if variables are included like ".$var." there is an extra layer of security added because of the extra set of quotes that were put it. This means hackers now have to evade the stripslashes()/mysql_real_escape_string() and also put "' a='a'" instead (Which most wouldn't think to do)? What is your opinion?
*EDIT: Let's also remember that it has been proven too that including variables like ".$var." is much faster, more efficient, and saves memory then just including the variable between quotes ("$var").*
FlashCreations 20 Posting Whiz
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.