[greenG4]

I've posted a couple other newbie questions about MySQL and PHP. For those who shook their heads and answered anyway (Chuckit and Besson3c), thank you. I have another after reading "Learning PHP and MySQL". I understand what SQL Injections are, and the book wisely warns me about them. But it also reads as if MySQL and PHP work together to virtually negate any risk.

PHP and MySQL work together to thwart this kind of attack. What happens is the MySQL query command allows only one statement per query. So attempting to start a new query after the first one has already been started generates an error. Additionally, PHP uses a system by default called magic quotes with user input. Magic quotes automatically escape any special characters with a backslash (\), including single and double quotes.

So is there anything else I need to do security-wise here? (btw, I embedded phpAuthent in my app, so there is that security benefit, as well.)

[SirCastor]

You have to make sure Magic Quotes are turned on, but that's about it.

[Chuckit]

I wouldn't rely on magic quotes. They cause all sorts of annoyance with slashes showing up everywhere, they don't protect from injection as well as actually validating and escaping input yourself, and they're going to be taken out in the next version of PHP.

[Love Calm Quiet]

I spent years playing around with PHP / MySQL, but since I'm getting serious, I find that Chris Snyder's "Pro PHP Security" is ESSENTIAL reading. And very well written. A lot of server-issue chapters can probably be skipped (expecting your hosting company to be well-versed), but the protection (testing/filtering) of GET or POST -inputted data from forms is quite thoroughly and understandably covered.

There's a BUNCH to learn about injection, etc, and JUST SAYING NO to Magic Quotes is one of the first.