Reputation:
Mysql attack prevention
i am currently developing a API for a service and was wondering if this could be classed as safe enough to prevent injection and/or other malicious attacks to the databases.
$username = mysql_real_escape_string(ereg_replace("[^A-Za-z0-9]", "", $_REQUEST['username']));
$password = mysql_real_escape_string(ereg_replace("[^A-Za-z0-9]", "", $_REQUEST['password']));
What this is doing is stripping out everything but letters and numbers and then running the mysql_real_escape_string command to run a fine comb in case something managed to get though.
Upvotes: 1
Views: 96
Answers (3)
Reputation: 13574
Nathaniel,
Should be fine your usernames (maybe add '_' to the RE) but you've got a real problem with passwords, haven't you? Any half decent authentication actively encourages a user to choose a password which contain symbol(s), as well as letters, UPPERCASE LETTERS, and numbers.
So I guess I'd just stick to using mysql_real_escape_string - Escapes special characters in a string for use in an SQL statement ... after CAREFULLY reading the documentation, of course.
Cheers mate. Keith.
Upvotes: 0
Reputation: 1621
Just your regex would be enough, without any further cleaning.
However, you should consider creating some sort of layer between your forms and the database to do this cleaning automatically.
Upvotes: 0
Reputation: 490423
Skip the deprecated ereg_replace() function and just use mysql_real_escape_string().
Also, why would you want to limit the user's password to a subset of chars. This just makes breaking in much easier.
Upvotes: 2
Related Questions
- MySQL Injection prevention
- piece of php code for prevent hacking
- Auto-Discourage MySQL brutforce login attempts
- MySQL brute force attack
- How to protect sensitive data in MySQL?
- Securing my MySQL queries
- How can I prevent such automated attack on websites?
- mysql php security
- Securing mySQL data
- Preventing brute-force attacks on MySQL?