On Wed, Feb 18, 2009 at 8:34 AM, PJ <af.gourmet@xxxxxxxxxxxx> wrote:
> To focus on mysql_real_escape_string, I am recapping... questions below
> QUOTE:==========
> Instead of doing this (for an imaginary table):
> $sql = "insert into table1(field1, field2) values ('$value1', '$value2')";
>
> do
> $sql = "insert into table1(field1, field2) values ('" .
> mysql_real_escape_string($value1) . "', '" .
> mysql_real_escape_string($value2) . "')";
>
> Now $value1 and $value2 can only be used as data, they can't be used
> against you.
>
> If you don't do that, try adding a last name of O'Reilly - your code
> will break because of the ' in the name.
>
> When you say "escape all your inputs" - just what do you mean? Does that
> mean I need some special routines that have to be repeated over and over
> every time there is an input... but what do you mean by an "input"? And,
> from looking at all the comments in the manual, it's not clear just
> where to stop...
>
> "input" means anything a user gives you. Whether it's a first name, last
> name, a comment in a blog, a website url - anything you get from a user
> must be escaped.
> END QUOTE ===============
>
> So, I am more confused than ever...
>
> TWO QUESTIONS:
>
> 1. It seems to me that submitting username, password and database_name
> is pretty dangerous.
> How does one deal with that? Do you use mysql_real_escape_string?
> e.g.
> <?php
> $db_host = 'localhost';
> $db_user = 'root';
> $db_pwd = 'gugus@#$';
>
> $database = 'join_tutorial';
> $table = 'authorBook';
>
> if (!mysql_connect($db_host, $db_user, $db_pwd))
> die("Can't connect to database");
>
> if (!mysql_select_db($database))
> die("Can't select database");
>
> // sending query
> $result = mysql_query("SELECT * FROM {$table}");
Inputs are user supplied. Variables coming from inside the application code
are not really inputs. I prefer a two step approach to ensure that I am
(hopefully) free from potential problems.
1. Use filtering like regex and length checks [
http://ca2.php.net/manual/en/function.ereg.php]
2. Use mysql_real_escape_string in the query whereever the data is
potentially harmful.
>
>
> 2. How do you use mysql_real_escape_string on a string entered in a form
> page with input and $_POST where the inputs are strings like $titleIN,
> $authorIN....etc.?
>
<?php
$error = '';
$title = ''; $authorIN=''; //initialize vars
$title = (eregi("^[a-z0-9\.\s]+$",$_POST['title'])) ? $_POST['title'] :
$error .= "invalid title";
$authorIN = (eregi("^[a-z\.\s]+$",$_POST['author'])) ? $_POST['author'] :
$error .= "invalid author";
$sql = "insert into table (title, author) values ('" .
mysql_real_escape_string($title) . "','" .
mysql_real_escape_string($authorIN) . "')";
//rest of code
?>
>
> --
>
> Phil Jourdan --- pj@xxxxxxxxxxxxx
> http://www.ptahhotep.com
> http://www.chiccantine.com
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Bastien
Cat, the other other white meat
