PHP SQL Injection prevention and Mysql security
Posted on 2007-12-05
I am coming close to publishing my site and i have used PHP and MySQL for all of the site.
I want to ensure i am as secure as i can be and i fear i dont know enough about SQl injection prevention and i dont want to get stung.
My site has email forms which i understand is one of my main threats. When i was creating this form a guy on EE said you are open to SQL injection attacks but didnt say anymore.
Can anyone give me some advice on h0ow to go about securing my site? quite a broad question i know but things like:
Lock web folders that contain my database connection details(includes)
Dont echo errors on pages so the public wont see errors if there is a problem with the site.
How to turn off my sql errors - Can i echo a custom Mysql error page instead of an actual error being posted and therefore giving info away i dont want to.
I know you guys know your stuff so all advice is welcome.