Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Lynch wrote:
On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
On 24/01/2008, Richard Lynch <ceo@xxxxxxxxx> wrote:
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.

In other words, you should still filter the INPUT somewhere; But you
are escaping the output to MySQL so that it is not going to execute
arbitrary SQL on your DB server.
After I pull the info out of the database, before it goes to the
webbrowser, it goes through this:

function clean_html ($dirty) {
  $dirty=strip_tags($dirty);

The strip_tags should probably have been done before it ever went into
the database, as part of INPUT FILTERING rather than escaping
output...


That should be considered part of the DRY method. But spanning page requests.

I cannot see any reason why you shouldn't be doing this before you insert this information into your DB. Doing it once on your insert, instead of every single page request would seen to me a much better use of resources.

If you are needing to have the tags in the DB, what I would do is have add second column in your DB. One that contains the clean version and one that contains the marked up version. Then you are not doing so much work on each page load, and you are able to retain the marked up version for editing ( i assume )

  $clean=htmlentities($dirty);
  return $clean;
}

Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-×’-ד-×”-ו-×–-×—-ט-×™-ך-×›-ל-ם-מ-ן-×
-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?





--
Jim Lucas

   "Some men are born to greatness, some achieve greatness,
       and some have greatness thrust upon them."

Twelfth Night, Act II, Scene V
    by William Shakespeare

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux