• Create Account

### #Actualyewbie

Posted 25 October 2012 - 09:08 AM

I have a custom web application I am playing around with written in php accessing a mysql database using a html interface.
Let me qualify this and say that I am very new to PHP and I may be unaware of something considered standard.

I am calling functions from inside my php (webpage) file that the user accesses with 2 or more variables like:

function TestFunctionRpt($orderby,$sort)

I sanitize both of my input variables using the PHP function "mysql_real_escape_string()".
http://php.net/manual/en/function.mysql-real-escape-string.php

Now my question is this, this seems very very simple am I actually protecting myself from SQL injection?
Is there anything else I need to look out for?

Also for reference my function is called like this inside my page.

[source lang="php"]<?php echo $mysite->TestFunctionRpt($_GET ['orderby'],$_GET ['sort'],$_GET['cust'],$_GET['startdate'],$_GET['enddate']);?>[/source]

Thank you for reading, hopefully you are having a great day!

### #1yewbie

Posted 25 October 2012 - 09:05 AM

I have a custom web application I am playing around with written in php accessing a mysql database using a html interface.
Let me qualify this and say that I am very new to PHP and I may be unaware of something considered standard.

I am calling functions from inside my php (webpage) file that the user accesses with 2 or more variables like:

function TestFunctionRpt($orderby,$sort)

I sanitize both of my input variables using the PHP function "mysql_real_escape_string()".

Now my question is this, this seems very very simple am I actually protecting myself from SQL injection?
Is there anything else I need to look out for?

Also for reference my function is called like this inside my page.

[source lang="php"]<?php echo $mysite->TestFunctionRpt($_GET ['orderby'],$_GET ['sort'],$_GET['cust'],$_GET['startdate'],$_GET['enddate']);?>[/source]

Thank you for reading, hopefully you are having a great day!

PARTNERS