I've looked up quite a few tutorials on keeping a secure database, but I still don't know what actions I need to take to protect my database from SQL injections, and hackers.
This is the function I've been using to clean out any user input, but I feel like this isn't all there is to it, what other things am I overlooking?
function CleanInput($value) {
stripslashes($value);
if(!is_numeric($value)) {
mysql_real_escape_string($value);
}
return $value;
}
It's not a bad start, but here's a link to some really useful information:
http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/
The best solution? Use bound parameters. To use these you’ll need to be using the improved mysqli library that comes with PHP5. This technique differs slightly in that you define a query “template” first with placeholders, and then “bind” the parameters to it, and the mysqli library takes care of the appropriate escaping for us:
$query = $mysqli->prepare( "UPDATE tablename SET favorite_color = ?, age = ?, description = ? WHERE user = ?" );
// we would have a bind looking like this:
$query->bind_param( 'sibs', 'red', 27, $some_blob, $variable );
$query->execute();