Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
I can read, I saw 2 functions the first time. each function cleans *and* escapes.

cleaning is filtering of input.
escaping is preparing for output.

2 concepts.

I see your point.

if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.

I'm not accepting "--" at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?

I might just want to put '--' in a textfield used as the basis for content
for a webpage. just because I want to. the most pertinent example are wikis,
they use '--' as markup (which is usually transformed into an <hr /> when the
results are output for viewing ... but obviously you want the original markup
when editing.

INSERT INTO foo (textfield) VALUES ('--');

nothing to escape in the case of a those chars being part of a string, the escaping
mechanism [hopefully] ensures that a given string will never contain a byte sequence that
the query parser will misinterpret as a sign to end the string (before the last intend quote
delimiter) prematurely and thereby treat the remainder of the input string as SQL.


filter each piece of data
validate each piece of data
escape each peice of data for each context in which it will be output.

I see that you have more experience than I!

imho your functions are conceptually wrong and not very robust either -
don't take it as a personal attack - I'm very sure if we sat down with *some*
of my code the same critism could be made to more or lesser extent :-) ...
"getting better all the time" as they sang once ;-)

I never thought that was a personal attack, not for a second. Rather,
I very much appreciate the time you take to explain to me my errors.
And I intend to learn from them. For the time being, I'll leave the
code as it is. However, for future projects, I will make a point of
separating the different functions. Thanks.

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux