Sorry, but I have been waylaid by other posts... :'(
and have not had the opportunity to finish my quest and I posted to
mysql but they are not very helpful....
I see I was not very clear below and will annotate below.
But the problem is still there, I cannot figure out how to sanitize with
mysql_real_escape_string().
I have tried to use it but cannot figure out where it should go...
according to the php manual,
but I see tat I have to have an active db connection; so how do I
sanitize when this is a file for connecting and in an include file?
Here is an include file that connects to the database:
<?
// db1.php
// SQL login parameters for local environment
$local_dbhost = "localhost"; // normally "localhost"
$local_dbuser = "root"; // your local database user name
$local_dbpass = "gugus@#$"; // your local database password
$local_dbname = "biblane"; // your local database name
// SQL remote parameters for remote environment (ex: nomonthlyfees)
$remote_dbhost = "localhost"; // normally "localhost"
$remote_dbuser = "root"; // your remote database user name
$remote_dbpass = "gugus@#$"; // your remote database password
$remote_dbname = "biblane"; // your remote database name
// Local server address
$LOCAL_SERVER = "127.0.0.1";
// CONNECT to DATABASE
if ($_SERVER["REMOTE_ADDR"] == $LOCAL_SERVER) {
$dbhost = $local_dbhost;
$dbuser = $local_dbuser;
$dbpass = $local_dbpass;
$dbname = $local_dbname;
}
else {
$dbhost = $remote_dbhost;
$dbuser = $remote_dbuser;
$dbpass = $remote_dbpass;
$dbname = $remote_dbname;
}
$db = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname,$db);
//echo $dbname;
//echo "<br>";
//echo $dbhost;
//echo $dbuser;
//echo $dbpass;
if (!$db) {
echo( "<P>Unable to connect to the " .
"database server at this time.</P>" );
exit();
}
// Select the database
if (! mysql_select_db("biblane") ) {
echo( "<P>Unable to locate the biblane " .
"database at this time.</P>" );
exit();
}
?>
Eric Butera wrote:
> On Wed, Feb 18, 2009 at 8:34 AM, PJ <af.gourmet@xxxxxxxxxxxx> wrote:
>> To focus on mysql_real_escape_string, I am recapping... questions below
>> QUOTE:==========
>> Instead of doing this (for an imaginary table):
>> $sql = "insert into table1(field1, field2) values ('$value1',
>> '$value2')";
>>
>> do
>> $sql = "insert into table1(field1, field2) values ('" .
>> mysql_real_escape_string($value1) . "', '" .
>> mysql_real_escape_string($value2) . "')";
>>
>> Now $value1 and $value2 can only be used as data, they can't be used
>> against you.
>>
>> If you don't do that, try adding a last name of O'Reilly - your code
>> will break because of the ' in the name.
>>
>> When you say "escape all your inputs" - just what do you mean? Does that
>> mean I need some special routines that have to be repeated over and over
>> every time there is an input... but what do you mean by an "input"? And,
>> from looking at all the comments in the manual, it's not clear just
>> where to stop...
>>
>> "input" means anything a user gives you. Whether it's a first name, last
>> name, a comment in a blog, a website url - anything you get from a user
>> must be escaped.
>> END QUOTE ===============
>>
>> So, I am more confused than ever...
>>
>> TWO QUESTIONS:
>>
>> 1. It seems to me that submitting username, password and database_name
>> is pretty dangerous.
>> How does one deal with that? Do you use mysql_real_escape_string?
>> e.g.
>> <?php
>> $db_host = 'localhost';
>> $db_user = 'xxxx';
>> $db_pwd = 'xxxxxx';
>>
>> $database = 'join_tutorial';
>> $table = 'authorBook';
>>
>> if (!mysql_connect($db_host, $db_user, $db_pwd))
>> die("Can't connect to database");
>>
>> if (!mysql_select_db($database))
>> die("Can't select database");
>>
>> // sending query
>> $result = mysql_query("SELECT * FROM {$table}");
No one seems to have resonded to the above question - how to sanitize
this when there is no connection? Same idea as the upper include file...
>>
>> 2. How do you use mysql_real_escape_string on a string entered in a form
>> page with input and $_POST where the inputs are strings like $titleIN,
>> $authorIN....etc.?
>>
>> --
>>
>> Phil Jourdan --- pj@xxxxxxxxxxxxx
>> http://www.ptahhotep.com
>> http://www.chiccantine.com
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> Escaping means making sure your data remains data in the context of
> using it. If you don't escape your data correctly depending on the
> context, then user input can break your applications. Also if your
> site is worthy of it, perhaps even a malicious user might try
> something, but usually what ends up happening is O'Henry gets a white
> page. Why? Well most code I come across has that horrid or die()
> following the query.
>
> Keep in mind that you want to escape your variable when you're using
> it only. You do not want to escape the actual variable itself, but a
> copy of it. This is why magic quotes is such a bad idea. It taints
> your actual data with slashes. There's more to it than just that, but
> you can research it on your own.
>
> So here's some examples of bad behavior.
>
> = Database =
> Bad:
> $name = mysql_real_escape_string($_POST['name'], $link);
> myql_query("INSERT INTO foo (`name`) VALUES ('". $name ."')");
>
> $name now contains slashes which means it is corrupt and not able to
> be echo'd without a stripslashes. You should never have to call
> stripslashes. If you do, you're doing it wrong.
>
> Better:
> myql_query("INSERT INTO foo (`name`) VALUES ('".
> mysql_real_escape_string($name, $link) ."')");
>
> This is better because we escape it in the sql statement itself.
> $name remains unchanged in case we want to use it later.
>
> Best:
> Use prepared statements!
What do you mean by this? What are "prepared statements"?
>
>
> = Html =
> Bad:
> $name = htmlspecialchars($name, ENT_QUOTES, 'UTF-8');
> echo $name;
>
> This is bad because $name is contaminated with html entities. What
> happens if you want to use it to send an email? What happens if you
> want to get a substring of it or parse out a few sentences for a
> little preview?
>
> Better:
> echo htmlspecialchars($name, ENT_QUOTES, 'UTF-8');
>
> This is better because we don't trust the data at all. You don't know
> what it contains. People find all sorts of interesting ways of
> getting weird characters into the apps I write, so just cover all
> bases.
>
> Another way:
> Create a pre-escaped version of the content in the db. Keep the
> original value so that the user can edit it, but also create a 'clean'
> version that you can just echo out. Just make sure you don't mess up.
> :)
>
>
> Keep in mind a lot of this is my opinion of course. I think keeping
> your data as data is the correct method. If you forget to escape even
> once though you open yourself up for broken applications/attacks. You
> could take the other approach of just letting ext/filter pre escape
> everything, but then you've got to decode all of that data if you ever
> want to use it as plain text. So find the happy balance that fits
> your needs the best and go for it. The main thing is understanding
> the difference between what your data is and its escaped version.
> Once you know that you can do what you need.
>
--
unheralded genius: "A clean desk is the sign of a dull mind. "
-------------------------------------------------------------
Phil Jourdan --- pj@xxxxxxxxxxxxx
http://www.ptahhotep.com
http://www.chiccantine.com/andypantry.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
