Am I protecting my website enough from sql injection?

Question

I have made a website where I only display items from my db tables, I pass variables from one page to the other to display certain items, there is no adding, deleting or editing to my table items in my website is just displaying information.

$aaa = _POST['aaa'];

$databasehost = "localhost";
$databasename = "mydb";
$databaseusername = "user";
$databasepassword = "password";

// Connect to the database server
$dbcnx = @mysql_connect($databasehost, $databaseusername, $databasepassword);
 if (!$dbcnx) {
 echo( "<font color='red'><P>can't connect to server.</P></font>" );
 exit();
  }
 // Select the database
 if (! @mysql_select_db($databasename) ) {
 echo( "<font color='red'><P>can't connect to db </P></font>");
 exit();
  }

 $aaa = mysql_real_escape_string($aaa)

 // and with $aaa I do my query

I have read that protecting my variables with the mysql_real_escape_string() I stop any injections into my query's but I feel vulnerable with:

 $databasehost = "localhost";
 $databasename = "mydb";
 $databaseusername = "user";
 $databasepassword = "password";

Am I just paranoid or is there a way protect this information that connects to y server and data base?

Answer 1

It shouldn't matter, but if you're concerned about it, just escape all the values being passed to the database with mysql_real_escape_string for strings and take the intval/floatval on numeric values.

It's not perfect security, but it's better than not doing so.

Answer 2

If your goal is strictly to protect against injection via the $aaa variable you should be OK. As @MikeG pointed out however you should probably move the connection information into a separate configuration file outside of your web root to improve security (you won't need to worry about injection if someone gets your database credentials).

Answer 3

There is no way for anyone to see the db connection information without gaining access to your server (since the PHP is executed on the server and not sent to the user's browser). That being said, if you are concerned about that you may want to consider putting those variables in a configuration file, and encrypting them.