Menu
I am aware I should be using prepared statement's but my next project will be using prepared statement's I just need to finish this simple little application.
So my question is:
Is this following snippet of code secure ?
I have used htmlentities aswell as mysql_real_escape_string because I thought it was a safe option.
//Image
$imageInput = $_POST['Image'];
$imageClean = htmlentities($imageInput, ENT_QUOTES, 'UTF-8');
//Inserts values into relevant field and creates a new row.
mysql_query("UPDATE ***** SET image='" . mysql_real_escape_string($imageClean) . "' WHERE id=" . mysql_real_escape_string($idClean) . "");
to add the code for the $idClean is:
//Id to change
if(ctype_digit($_POST['testimonial']))
{
$idInput = $_POST['testmonial'];
$idClean = htmlentities($idInput, ENT_QUTOES, 'UTF-8');
}
Thanks for your help.
p.s if you could suggest something to add that would be great.
781
Depends on how clean your $idClean is.
WHERE id=" . mysql_real_escape_string($idClean) . "
mysql_real_escape_string only prepends backslashes to \x00, \n, \r, \, ', " and \x1a, but it won't stop the attacker using
$idClean = "1 OR 1=1 AND POSSIBLY OTHER SQL STATEMENTS"
Instead of mysql_real_escape_string you should just convert it to an int.
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
