Posted by bill on 12/19/06 16:17

bill wrote:
> MySQL newbie, not new to computing.
>
> In my application I accept photos and data, some structured and some
> free text. I store the information (but not the images) in a MySQL
> database and then from that information I construct a web page for the
> user.
>
> The images are always displayed within an <img tag.
>
> The text is displayed as part of the web page, within <p> tags.
>
> The users are all registered and (more or less) trusted individuals
>
> <paranoid mode on>
>
> 1: Do I need to worry about SQL injection if I do not process the
> incoming free form data ?
>
> 2: Do I need to worry about PHP statements being embedded in the free
> form data ?
>
> 3: if so, what is the best practices to protect my database/site ?
>
> <paranoid mode off>
>
thanks all for the suggestions.

As I never use user input to a query string, just data, and the
images are not accessible except inside of <img tags it would
seem that I am moderately safe.

bill

• Next in forum: Re: PHP MySQL Connect Problem
• Prev in forum: Getting a function result while in heredoc
• Thread view: Re: SQL injection and PHP spoofing

[Reply to this message]