I am new to PHP and coming close to launching. I am using mysql_real_escape_string(); for all user input and all $_GET and $_REQUEST variables. I wanted to test it out but not sure how it's done so i can prevent it and put in proper measures.
SQL injection is when a user attempts to manipulate the intended result of an SQL query. One method, that is cited in Wikipedia as well as all Intro to Databases courses, is when an attacker 'fakes' the end of a SQL command by putting ';, or "; followed by another SQL command.
$_POST['InjectedString'] = "John Doe'; drop table `users`;";
This has the potential to drop your users table if not sanitized.
For a more detailed explanation of SQL injection, visit the Wikipedia page
For a bit of comic relief, check out this XKCD comic.
This is just one method of attempting SQL injection and is used as only a teaching tool, since according to Rook, it doesn't work very well in MySQL.
Try inputting a string similar to the one below in all your form fields (including the hidden ones):
blah'"blah
If you're not escaping it properly, you'll get a sql error. If you get that sql error, you should then be able to figure out how to write a query that does something different than what the original one intended.
I am using mysql_real_escape_string(); for all user input and all $_GET and $_REQUEST variables
well, you are entirely wrong.
First, mysql_real_escape_string() has nothing to do with "user input". This is database-related function, not user-related.
Next, it has nothing to do with "all input" as it's usage limited to strings only. So, if you have a code like this
$id = mysql_real_escape_string($_GET['id']);
$sql = "SELECT * FROM table WHERE id=$id";
you have here escaping absolutely useless and protects nothing.
as for the test - it's kinda tricky. however, there are tools in the internet, I am sure you can google some.