Re: Filtering (was storing single and double quote in MySQL)

afan@xxxxxxxx · Thu, 25 May 2006 23:19:03 +0200 (CEST)

As you said: Filtering. My next queston.

I have small form to activate/deactivate member's account.

<form method=post action=members.php>
<input type=hidden name=username value=<?= $Usename ?>
<input type=hidden name=status value=<?= $Status ?>
<input type=image name=action value=change src=images/status_live.gif
border=0>
</form>

and once adminisrtrator clicks on button:

if(isset($_POST['action']))
{
  $Username = $_POST['Username'];
  $action = '';
  switch($action)
  {
    case 'change':
      mysql_query("UPDATE members SET status='live' WHERE Username =
'".$Username."'");
    break;

    case 'edit':
      //  ...
   break;
  }
}

Do I have to filter $Username with mysql_real_escape_string() function
even if $Username will not be stored in DB and I use it in WHERE part?
If no - how to filter it?

Thanks

-afan

> At 4:28 PM +0200 5/24/06, afan@xxxxxxxx wrote:
>>after these very helpfull comments, I rad (again) Shiflett's (and few
>>others) Security articles about filtering input and output. And more I
>>read - less is clear :(
>
> and
>
> At 6:07 PM +0200 5/24/06, afan@xxxxxxxx wrote:
>>Ok. Looks like I DID miss the point :)
>>I thought that with mysql_real_escape_string() HAVE TO add slash in front
>>of a quote and THAT's filtering.
>
> No, that's NOT filtering input, as per Shiflett's book.
>
> Filtering input is proving that the data coming is -- IS -- valid data!
>
> Take for example the code he shows on page 11 of his book (Essential
> PHP Security) where:
>
> <?php
>
> $clean = array();
>
> switch($$_POST['color'])
>     {
>     case 'red':
>     case 'green':
>     case 'blue':
>        $clean['color'} = $_POST['color'];
>        break;
>     }
>
> ?>
>
> If you inspect this code, you will see that the array $clean will
> never have anything in it that's not 'red', 'green', or 'blue' --
> that's filtering input as per Shiflett.
>
> And, that makes prefect sense to me.
>
> tedd
>
> PS: I changed the subject line because it's a different subject. :-)
> --
> ------------------------------------------------------------------------------------
> http://sperling.com  http://ancientstones.com  http://earthstones.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php