PJ wrote:
Sorry, but I have been waylaid by other posts... :'(
and have not had the opportunity to finish my quest and I posted to
mysql but they are not very helpful....
I see I was not very clear below and will annotate below.
But the problem is still there, I cannot figure out how to sanitize with
mysql_real_escape_string().
I have tried to use it but cannot figure out where it should go...
according to the php manual,
but I see tat I have to have an active db connection; so how do I
sanitize when this is a file for connecting and in an include file?
Here is an include file that connects to the database:
<?
// db1.php
// SQL login parameters for local environment
$local_dbhost = "localhost"; // normally "localhost"
$local_dbuser = "root"; // your local database user name
$local_dbpass = "gugus@#$"; // your local database password
$local_dbname = "biblane"; // your local database name
// SQL remote parameters for remote environment (ex: nomonthlyfees)
$remote_dbhost = "localhost"; // normally "localhost"
$remote_dbuser = "root"; // your remote database user name
$remote_dbpass = "gugus@#$"; // your remote database password
$remote_dbname = "biblane"; // your remote database name
// Local server address
$LOCAL_SERVER = "127.0.0.1";
// CONNECT to DATABASE
if ($_SERVER["REMOTE_ADDR"] == $LOCAL_SERVER) {
$dbhost = $local_dbhost;
$dbuser = $local_dbuser;
$dbpass = $local_dbpass;
$dbname = $local_dbname;
}
else {
$dbhost = $remote_dbhost;
$dbuser = $remote_dbuser;
$dbpass = $remote_dbpass;
$dbname = $remote_dbname;
}
$db = mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname,$db);
//echo $dbname;
//echo "<br>";
//echo $dbhost;
//echo $dbuser;
//echo $dbpass;
if (!$db) {
echo( "<P>Unable to connect to the " .
"database server at this time.</P>" );
exit();
}
// Select the database
if (! mysql_select_db("biblane") ) {
echo( "<P>Unable to locate the biblane " .
"database at this time.</P>" );
exit();
}
?>
Eric Butera wrote:
On Wed, Feb 18, 2009 at 8:34 AM, PJ <af.gourmet@xxxxxxxxxxxx> wrote:
To focus on mysql_real_escape_string, I am recapping... questions below
QUOTE:==========
Instead of doing this (for an imaginary table):
$sql = "insert into table1(field1, field2) values ('$value1',
'$value2')";
do
$sql = "insert into table1(field1, field2) values ('" .
mysql_real_escape_string($value1) . "', '" .
mysql_real_escape_string($value2) . "')";
Now $value1 and $value2 can only be used as data, they can't be used
against you.
If you don't do that, try adding a last name of O'Reilly - your code
will break because of the ' in the name.
When you say "escape all your inputs" - just what do you mean? Does that
mean I need some special routines that have to be repeated over and over
every time there is an input... but what do you mean by an "input"? And,
from looking at all the comments in the manual, it's not clear just
where to stop...
"input" means anything a user gives you. Whether it's a first name, last
name, a comment in a blog, a website url - anything you get from a user
must be escaped.
END QUOTE ===============
So, I am more confused than ever...
TWO QUESTIONS:
1. It seems to me that submitting username, password and database_name
is pretty dangerous.
How does one deal with that? Do you use mysql_real_escape_string?
e.g.
<?php
$db_host = 'localhost';
$db_user = 'xxxx';
$db_pwd = 'xxxxxx';
$database = 'join_tutorial';
$table = 'authorBook';
if (!mysql_connect($db_host, $db_user, $db_pwd))
die("Can't connect to database");
if (!mysql_select_db($database))
die("Can't select database");
// sending query
$result = mysql_query("SELECT * FROM {$table}");
No one seems to have resonded to the above question - how to sanitize
this when there is no connection? Same idea as the upper include file...
Problem: if there's no connection, how can you fetch anything from a table?
Using a variable is fine for a table name.
You only need to escape data coming from a user going in to your database.
example:
insert into address_book (first_name, last_name) values
($_POST['first_name'], $_POST['last_name']);
first_name and last_name come from a form of some sorts - it's user
input. It needs to be escaped.
$query = "insert into table(field1, field2) values ('" .
mysql_real_escape_string($_POST['first_name']) . "', '" .
mysql_real_escape_string($_POST['last_name']) . "')";
'first_name' and 'last_name' are the names of your input fields on your
form.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
