Re: Secure input

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Feb 27, 2006 at 12:20:51PM +0100, emil@xxxxxxxxxx wrote:
> 
> Hi,
> 
> What shall one do to avoid people that trys to manipulate my server?
> 
> I mysql_real_escape_string() all input from GET and POST.

The mysql_escape_string() will protect you from sql injections, the
thing you have to watch out for is if you have the php.ini
directive magic_quotes_gpc set to On then you will end up with data
in your database like:

  "I\'m escaped"

Which if magic_quotes_gpc is Off you will have in the db:

  "I'm escaped"

The latter is the one you want in the db.  To avoid these issues I
would tend to avoid any magic_* .ini directives and escape the data
when i desire to.

If you are building a tool that may be used in any configuration
setup, you have to detect in your code what to do if
the magic_* directive  is on or off. 

*see the magic directives in: http://php.net/ref.info

> 
> A long time ago I think I used addslashes or something like that too, so people couldn't insert php code in their input. Is that still something I should do, or does mysql_real_escape_string() take care of that too? And is it even possible for a user to execute there own php code if I not output the input via the eval() function?

The main difference between addslashes and mysql_real_escape_string() is
that addslashes() is designed to protect what php may think is harmful,
mysql_real_escape_sting() is designed to protect what the db server
thinks is harmful.

> 
> When users input is displayed for others then themself I try to filter out html tags too.

Instead of filtering out html tags, your best option is to apply
either htmlentities() or htmlspecialchars() to the output from the
input by a user.  

Curt.
-- 
cat .signature: No such file or directory

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux