Our PHP scripts currently use MySQL by string concatenation, which makes the scripts potentially vulnerable to SQL injection attacks. I've tried to make sure that POST data is sanitized in all of the PHP scripts (see escape_json() in connect.php) but any place I missed is a vulnerability. Therefore, the alternative is to use prepared statements or stored procedures instead. Both techniques are features of MySQL and they have their own trade-offs, but at some point it may be worth considering this issue.
Our PHP scripts currently use MySQL by string concatenation, which makes the scripts potentially vulnerable to SQL injection attacks. I've tried to make sure that POST data is sanitized in all of the PHP scripts (see
escape_json()inconnect.php) but any place I missed is a vulnerability. Therefore, the alternative is to use prepared statements or stored procedures instead. Both techniques are features of MySQL and they have their own trade-offs, but at some point it may be worth considering this issue.