i am currently working on making my site injection proof and was wondering about the validations i am making, my code goes like this:
if(!empty($_POST['city']) && !empty($_POST['street'])){
$city = htmlentities(mysql_real_escape_string($_POST['city']));
$street = htmlentities(mysql_real_escape_string($_POST['street']));
}
my question is isnt the empty check itself is a vulnerability? i mean do i have to escape string in the !empty validation as well? or it is safe to keep it that way? thanks.
For SQL injection you only need to worry when quering the database, so isset is safe.
There should be no need for htmlentities (use it as protection against XSS).
mysql_real_escape_string will protect against SQL injection if done correctly, but should not be used at all, since the mysql_ prefix / DB-handler is outdated, deprecated and should not be used at all. The safest way is to use either mysqli_ or PDO, and use prepared statements.
SQL injection vulnerabilities work like this:
$username = $_GET["username"];
mysql_query("SELECT 1 FROM `users` WHERE `username` = '" . $username . "'");
Now if the value of $_GET["username"] is something like "foo' OR 1=1--"
The query:
SELECT 1 FROM `users` WHERE `username` = 'foo' OR 1=1
--'
will be run which selects all users
If you escape your input you will get the (intended) query:
SELECT 1 FROM `users` WHERE `username` = 'foo\' OR 1=1--'
PHP functions themselves aren't vulnerable.
Maybe this a good analogy: when someone says "Say your name" they want you to say "I'm John" not "your name"