afan@xxxxxxxx wrote:
after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(
Before, I used addslash() before I insert data in database and strislshe()
to show them on screen.
Later found it's not good and start using mysql_real_escae_string() to add
to DB and stripslashe() to show on screen.
If you have to stripslashes() when you pull data out of the db, you're
doing something wrong (like running with magic_quotes* on, therefore
double escaping your data).
But, also, I thought, mysql_real_escape_string() is "filter" for
everything, e.g. lets have three links (add, delete, edit) as
mysql_real_escape_string() *only* escapes the data which needs to be
escaped for your particular db version.
<a href=index.php?action=add&rec_id=$rec_id>Add new</a>
<a href=index.php?action=edit&rec_id=$rec_id>Edit</a>
<a href=index.php?action=delete&rec_id=$rec_id>Delete</a>
and was doing this way:
#index.php
<?php
if($_GET['action'])
{
$action = mysql_real_escape_string($_GET['action']);
$rec_id = mysql_real_escape_string($_GET['rec_id']);
switch($action)
{
case 'add':
// add new record
break;
case 'edit':
// edit record
break;
case 'delete':
// delete record
break;
}
}
?>
it means that $action I will never store in DB, neither show on screen. I
then wrong to
$action = mysql_real_escape_string($_GET['action']);
or I should
$action = htmlentities($_GET['action']);
or
$action = $_GET['action'];
is just fine?
If you're not going to display it or insert it...if all you're doing is
checking the value of it, then you don't need to modify it.
--
John C. Nichel IV
Programmer/System Admin (ÜberGeek)
Dot Com Holdings of Buffalo
716.856.9675
jnichel@xxxxxxxxxxxxxxxxxxxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
