mysql_real_escape_string : Is it enough for database security alone?

Question

mysql_real_escape_string is used for SQL statements. Is it enough for database security alone? For example with get_magic_quotes_gpc() we have use stripslashes. Is there any issue that we have to know about using other function with mysql_real_escape_string ? Thanks in advance

Answer 1

If you want to have a more secure database, simply escaping a string is not enough. This will definitely help in regards to SQL injection attacks, but there are a host of other methods to compromise a database.

Some pointers:

1. Practice "least privilege" in that the users and accounts that are GRANTed access to your database should have the minimum privileges to complete their tasks and nothing else.
2. Make sure your passwords are difficult to guess (composed of letters both lower and upper, numbers, symbols, etc.) and changed regularly.
3. Don't save credit card numbers unless absolutely necessary (assuming you're running a commercial site).
4. Hash and possibly salt your passwords before storing them in your database if you'll have user accounts
5. Check and double-check port numbers (3306 for MySQL) and permissions on files and directories, especially if users are uploading files

These are generally good practice and you should be aware of issues for databases outside the scope of just SQL injection attacks.

Answer 2

1)turn off magic_quotes_gpc
2)Is it enough with mysql_real_escape_string()

Answer 3

not really. SQL statements are different. for some of them it helps, for others - not.

I've answered that question recently: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

Hope it can give you the full picture, but you are welcome to ask if something is unclear.

Note that get_magic_quotes_gpc() and stripslashes are NOT database issue. It's just input data validation thing, and it has nothing to do with SQL