On Thu, May 31, 2007 5:39 pm, info@xxxxxxxxxxxxx wrote: > Thank you. Will use of your initialization method protect one from sql > injection? It isn't clear from reading this: > > http://ca.php.net/htmlentities > > ??? htmlentities has absolutely ZERO protection against SQL Injection. None. Nada. Zip. Zilch. It only "protects", if that, against XSS attack, in that it converts any funky character into its HTML Entity to be rendered as "data" in the browser, rather than as a "code" (where "code" means JavaScript and/or HTML). A clever XSS attacker might craft a stirng that after htmlentities turns into Bad Things, but it's a bit tougher. In fact, if I understood Rasmus' keynote at the php|tek correctly, an HTML-entity of ' is actually a valid apostrophe in JS, so that: var foo = 'This is an XSS attack' is actually VALID JavaScript code! [shudder] Which means that htmlentities won't always be "enough" to protect against XSS attacks, I don't think... But it was early in the morning for me, and I was freaking out about the dang microphone (grrr!) so wasn't 100% focused on what he was saying... Anyway, if the incoming data is also bound for SQL, as well as for output to the browser, I might also do like this at the top: $messages[] = array(); require 'connect.inc'; //sets up $connection $username = isset($_POST['username']) ? $_POST['username'] : ''; $username_html = htmlentities($username); $username_sql = mysql_real_escape_string($username, $connection); //validate username: //the code to put here is CUSTOM //it depends on YOUR business needs for a username //that, in turn, depends on YOUR potential user base //beware any kind of "generic" code for this //it might be "close" to what you want //but it will rarely really really be what you want... //That said, here are some tests you might consider modifying: $valid = true; if (!strlen($username)){ //this probably is always gonna need to be there... $messages[] = "Username cannot be blank"; $valid = false; } if (!ctype_graph($username)){ //maybe you WANT to allow control characters in your username? $messages[] = "Username cannot contain "invisible" charactes or whitespace"; $valid = false; } if (preg_match('|^[a-z]*$|i', $username)){ //all alpha usernames are usually not so good... $messages[] = "Username must contain at least one character that's not A to Z"; $valid = false; } if (preg_match('|^[0-9]*$', $username)){ //all digit usernames are probably also not so good... $messages[] = "Username cannot be only digits 0-9. Add at least one A-Z character."; $valid = false; } if (is_dictionary_word($username)){ //perhaps more appropriate for a password in general //but on higher-level security systems //even a username shouldn't be in Websters' dictionary $messages[] = "Username must not be a single dictionary word. Consider using two unrelated words."; $valid = false; //NOTE: Websters' 2nd Edition is available in Public Doamin //and is often available as rpm/package //quite handy to check for this kind of stuff } You could, of course, go on at length in this way, and even more so for passwords. But once you reach this point, if $valid is still true, you have an SQL-injection safe username in $username_sql, so use that in the queries. $query = "select user_id from user where username = '$username_sql' "; Use the HTML one for HTML: <input name="username" value="<?php echo $username_html?>" /> NOTE: The "filter" extension available since (??? 5.2.2 ???) looks like it will make this all a LOT easier. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
