Joined on 08-10-2007
TechSoup Member
Hi,
I want to protect myself from sql injection. My server is configured with magic_quotes_gpc ON. People suggest me to use mysq_real_escape_string(), but I don't understand why and what is the difference. Moreover, I use MD5 on my passwords. Is this enough ?
Thanks.
magic_quotes_gpc only get, post and cookie (gpc) variables will be escaped for single and double quotes, backslashes and nulls. mysql_real_escape_string will make sure an entire string is safe for mysql. No matter where the values came from. It's a good function to use and is just another layer to help protect you from sql injections.
MD5 to store passwords in mysql is fine. You should also be concerned with how they are sent form the client to the mysql server.
Keith