Re: escape your variables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Feb 18, 2009 at 8:34 AM, PJ <af.gourmet@xxxxxxxxxxxx> wrote:
> To focus on mysql_real_escape_string, I am recapping... questions below
> QUOTE:==========
> Instead of doing this (for an imaginary table):
> $sql = "insert into table1(field1, field2) values ('$value1', '$value2')";
>
> do
> $sql = "insert into table1(field1, field2) values ('" .
> mysql_real_escape_string($value1) . "', '" .
> mysql_real_escape_string($value2) . "')";
>
> Now $value1 and $value2 can only be used as data, they can't be used
> against you.
>
> If you don't do that, try adding a last name of O'Reilly - your code
> will break because of the ' in the name.
>
> When you say "escape all your inputs" - just what do you mean? Does that
> mean I need some special routines that have to be repeated over and over
> every time there is an input... but what do you mean by an "input"? And,
> from looking at all the comments in the manual, it's not clear just
> where to stop...
>
> "input" means anything a user gives you. Whether it's a first name, last
> name, a comment in a blog, a website url - anything you get from a user
> must be escaped.
> END QUOTE ===============
>
> So, I am more confused than ever...
>
> TWO QUESTIONS:
>
> 1.  It seems to me that submitting username, password and database_name
> is pretty dangerous.
> How does one deal with that? Do you use mysql_real_escape_string?
> e.g.
> <?php
> $db_host = 'localhost';
> $db_user = 'root';
> $db_pwd = 'gugus@#$';
>
> $database = 'join_tutorial';
> $table = 'authorBook';
>
> if (!mysql_connect($db_host, $db_user, $db_pwd))
>    die("Can't connect to database");
>
> if (!mysql_select_db($database))
>    die("Can't select database");
>
> // sending query
> $result = mysql_query("SELECT * FROM {$table}");
>
> 2. How do you use mysql_real_escape_string on a string entered in a form
> page with input and $_POST where the inputs are strings like $titleIN,
> $authorIN....etc.?
>
> --
>
> Phil Jourdan --- pj@xxxxxxxxxxxxx
>   http://www.ptahhotep.com
>   http://www.chiccantine.com
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Escaping means making sure your data remains data in the context of
using it.  If you don't escape your data correctly depending on the
context, then user input can break your applications.  Also if your
site is worthy of it, perhaps even a malicious user might try
something, but usually what ends up happening is O'Henry gets a white
page.  Why?  Well most code I come across has that horrid or die()
following the query.

Keep in mind that you want to escape your variable when you're using
it only.  You do not want to escape the actual variable itself, but a
copy of it.  This is why magic quotes is such a bad idea.  It taints
your actual data with slashes.  There's more to it than just that, but
you can research it on your own.

So here's some examples of bad behavior.

= Database =
Bad:
$name = mysql_real_escape_string($_POST['name'], $link);
myql_query("INSERT INTO foo (`name`) VALUES ('". $name ."')");

$name now contains slashes which means it is corrupt and not able to
be echo'd without a stripslashes.  You should never have to call
stripslashes.  If you do, you're doing it wrong.

Better:
myql_query("INSERT INTO foo (`name`) VALUES ('".
mysql_real_escape_string($name, $link) ."')");

This is better because we escape it in the sql statement itself.
$name remains unchanged in case we want to use it later.

Best:
Use prepared statements!


= Html =
Bad:
$name = htmlspecialchars($name, ENT_QUOTES, 'UTF-8');
echo $name;

This is bad because $name is contaminated with html entities.  What
happens if you want to use it to send an email?  What happens if you
want to get a substring of it or parse out a few sentences for a
little preview?

Better:
echo htmlspecialchars($name, ENT_QUOTES, 'UTF-8');

This is better because we don't trust the data at all.  You don't know
what it contains.  People find all sorts of interesting ways of
getting weird characters into the apps I write, so just cover all
bases.

Another way:
Create a pre-escaped version of the content in the db.  Keep the
original value so that the user can edit it, but also create a 'clean'
version that you can just echo out.  Just make sure you don't mess up.
:)


Keep in mind a lot of this is my opinion of course.  I think keeping
your data as data is the correct method.  If you forget to escape even
once though you open yourself up for broken applications/attacks.  You
could take the other approach of just letting ext/filter pre escape
everything, but then you've got to decode all of that data if you ever
want to use it as plain text.  So find the happy balance that fits
your needs the best and go for it.  The main thing is understanding
the difference between what your data is and its escaped version.
Once you know that you can do what you need.

-- 
http://www.voom.me | EFnet: #voom

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux