I'm not familiar with sql injection and I wanna know if there is any invulnerability in my script, if there is please point it out and give me some tip to fix it.
<?php include("config.php"); ?> <?php $desc = $_POST['desc']; $desc = mysql_real_escape_string($desc); $author = $_POST['author']; $date = date("d/M/Y"); mysql_query("INSERT INTO `changelog`(`author`, `date`, `description`) VALUES ('{$author}','{$date}','$desc')") or die(mysql_error()); include("success.php"); ?> Yes there is. You are solely relying on mysql_real_escape_string which has been deprecated. Furthermore you should build some of your own logic tests based on a range of input that you are expecting. You might want to use RegExp or some other trimming functions but don't rely just on mysql_real_escape_string.
You should write some logic to test the data you are expecting.
You can check out http://php.net/manual/en/security.database.sql-injection.php for more information on preventing SQL Injections.
mysql_*functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.