RE: Filtering (was storing single and double quote in MySQL)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: tedd [mailto:tedd@xxxxxxxxxxxx]
> Sent: 26 May 2006 02:27
> To: Chrome; 'tedd'; afan@xxxxxxxx
> Cc: 'Eric Butera'; 'php'
> Subject: RE:  Filtering (was storing single and double quote in
> MySQL)
> 
> At 11:51 PM +0100 5/25/06, Chrome wrote:
> >[snip]
> >1. Anytime you put anything into a dB then use
> >mysql_real_escape_string() function. If you are NOT going to put it
> >in a dB, then you don't need mysql_real_escape_string() function --
> >understand?
> >[/snip]
> >
> >Untrue... It isn't just inserting into a DB that requires this
> function...
> >Consider:
> >
> >User enters:
> >anything'; DROP TABLE x; SELECT 'a' = 'a
> >
> >into the form for username... Now your unescaped SQL statement reads:
> >
> >UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE
> x;
> >SELECT 'a' = 'a'
> >
> >Where x can be a brute-forced table name... I can't remember if MySQL
> allows
> >multiple statements but I seem to remember hearing that MySQL5 does... If
> >I'm wrong correct me and tell me to RTFM :)
> >
> >Nice catch on the error... I didn't notice that :)
> >
> >HTH (and that I'm right :) )
> >
> >Dan
> 
> Dan:
> 
> A couple of things: One, I'm not sure if afan understands multiple
> statements, so I didn't want to confuse him; Two, I don't use
> multiple statements because they confuse me. I'm much more of a
> step-by-step programmer.

I don't use them either; hence my uncertainty :)

> I find that sometimes it's best to provide something simple for
> someone to learn rather than confuse them with remote possibilities.
> I taught at college level and believe me when I say there is nothing
> dumber than a student. Baby steps are best -- and the same for me
> when I'm learning as well.

I'm still learning... very much so... which is why all my advice is subject
to correction by a higher mortal... step forward, you know who you are :)

> In the exchange I had with afan, we were talking about placing data
> into a dB without the need for escapes and I think the advice I gave
> him was correct.

Never doubted that :)... I have seen much of your advice

> I realize that there are exceptions to just about anything IF you dig
> deep enough. For example did you know that if magic_quotes are turned
> ON and you use escape_data() that function will use
> mysql_real_escape_string(). So, here's an example that proves your
> point, but if I was to inform afan of that, what good would it do?
> Knowing that hasn't done anything for me.

I only sought to provide knowledge... knowing the pitfalls regardless of how
bad the advice is set out/worded surely must be good

Security should be foremost and ignorance no excuse... That's not to say
anyone can't make a mistake :) 

> 
> In any event, your point is well taken -- thanks for the clarification.
> 
> tedd
> 
> --
> --------------------------------------------------------------------------
> ----------
> http://sperling.com  http://ancientstones.com  http://earthstones.com
> 
> __________ NOD32 1.1559 (20060525) Information __________
> 
> This message was checked by NOD32 antivirus system.
> http://www.eset.com


Dan
-- 
http://chrome.me.uk

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux