Posted by Erwin Moller on 12/19/06 12:36

bill wrote:

> MySQL newbie, not new to computing.
>
> In my application I accept photos and data, some structured and
> some free text. I store the information (but not the images) in a
> MySQL database and then from that information I construct a web
> page for the user.
>
> The images are always displayed within an <img tag.
>
> The text is displayed as part of the web page, within <p> tags.
>
> The users are all registered and (more or less) trusted individuals
>
> <paranoid mode on>
>
> 1: Do I need to worry about SQL injection if I do not process the
> incoming free form data ?

Why do you let the visitor fill in data if you do not process it?

>
> 2: Do I need to worry about PHP statements being embedded in the
> free form data ?

That depends 100% on what you do with the data.

A man walks into a shop and want to buy a knife.
He asks the guy behind the counter: "Do I have to worry this knife will be
used for something dangerous?"

>
> 3: if so, what is the best practices to protect my database/site ?

Understand how it works.
Understand how the underlying OS works.
Understand how the security is implemented.
Understand what users are and what rights are on both the OS and the
database.

>
> <paranoid mode off>
>

The fact that you are paranoid, doesn't mean they are not after you.

It is good you ask yourself these questions, but don't expect us to answer
them in depth because security is a broad subject.

Regards,
Erwin Moller

[Back to original message]