RE: Filtering (was storing single and double quote in MySQL)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

At 11:51 PM +0100 5/25/06, Chrome wrote:

[snip]
1. Anytime you put anything into a dB then use
mysql_real_escape_string() function. If you are NOT going to put it
in a dB, then you don't need mysql_real_escape_string() function --
understand?
[/snip]

Untrue... It isn't just inserting into a DB that requires this function...
Consider:

User enters:
anything'; DROP TABLE x; SELECT 'a' = 'a

into the form for username... Now your unescaped SQL statement reads:

UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x;
SELECT 'a' = 'a'

Where x can be a brute-forced table name... I can't remember if MySQL allows
multiple statements but I seem to remember hearing that MySQL5 does... If
I'm wrong correct me and tell me to RTFM :)

Nice catch on the error... I didn't notice that :)

HTH (and that I'm right :) )

Dan


Dan:
A couple of things: One, I'm not sure if afan understands multiple statements, so I didn't want to confuse him; Two, I don't use multiple statements because they confuse me. I'm much more of a step-by-step programmer.
I find that sometimes it's best to provide something simple for someone to learn rather than confuse them with remote possibilities. I taught at college level and believe me when I say there is nothing dumber than a student. Baby steps are best -- and the same for me when I'm learning as well.
In the exchange I had with afan, we were talking about placing data into a dB without the need for escapes and I think the advice I gave him was correct.
I realize that there are exceptions to just about anything IF you dig deep enough. For example did you know that if magic_quotes are turned ON and you use escape_data() that function will use mysql_real_escape_string(). So, here's an example that proves your point, but if I was to inform afan of that, what good would it do? Knowing that hasn't done anything for me. 

In any event, your point is well taken -- thanks for the clarification.

tedd

--
------------------------------------------------------------------------------------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux