Bastien Koert wrote: > On Wed, Feb 18, 2009 at 8:34 AM, PJ <af.gourmet@xxxxxxxxxxxx> wrote: > > >> To focus on mysql_real_escape_string, I am recapping... questions below >> QUOTE:========== >> Instead of doing this (for an imaginary table): >> $sql = "insert into table1(field1, field2) values ('$value1', '$value2')"; >> >> do >> $sql = "insert into table1(field1, field2) values ('" . >> mysql_real_escape_string($value1) . "', '" . >> mysql_real_escape_string($value2) . "')"; >> >> Now $value1 and $value2 can only be used as data, they can't be used >> against you. >> >> If you don't do that, try adding a last name of O'Reilly - your code >> will break because of the ' in the name. >> >> When you say "escape all your inputs" - just what do you mean? Does that >> mean I need some special routines that have to be repeated over and over >> every time there is an input... but what do you mean by an "input"? And, >> from looking at all the comments in the manual, it's not clear just >> where to stop... >> >> "input" means anything a user gives you. Whether it's a first name, last >> name, a comment in a blog, a website url - anything you get from a user >> must be escaped. >> END QUOTE =============== >> >> So, I am more confused than ever... >> >> TWO QUESTIONS: >> >> 1. It seems to me that submitting username, password and database_name >> is pretty dangerous. >> How does one deal with that? Do you use mysql_real_escape_string? >> e.g. >> <?php >> $db_host = 'localhost'; >> $db_user = 'auser'; >> $db_pwd = 'apassword'; >> >> $database = 'adatabase'; >> $table = 'authorBook'; >> >> if (!mysql_connect($db_host, $db_user, $db_pwd)) >> die("Can't connect to database"); >> >> if (!mysql_select_db($database)) >> die("Can't select database"); >> >> // sending query >> $result = mysql_query("SELECT * FROM {$table}"); >> > > > Inputs are user supplied. Are you saying that I don't need to sanitize the variables above - $db_host, $db_user, $db_pwd, $database, $table ? If they whould be sanitized, just when should that be done? Whlen the variable is declared? or in the if stetements above and the $result ? I would love to see an example somewhere that shows an unsanitized variable and the same variable sanitized. > Variables coming from inside the application code > are not really inputs. I prefer a two step approach to ensure that I am > (hopefully) free from potential problems. > > 1. Use filtering like regex and length checks When and specifically on what? > [ > http://ca2.php.net/manual/en/function.ereg.php] > 2. Use mysql_real_escape_string in the query wherever the data is > potentially harmful. > > > > > >> 2. How do you use mysql_real_escape_string on a string entered in a form >> page with input and $_POST where the inputs are strings like $titleIN, >> $authorIN....etc.? >> >> > > <?php > $error = ''; > $title = ''; $authorIN=''; //initialize vars > > $title = (eregi("^[a-z0-9\.\s]+$",$_POST['title'])) ? $_POST['title'] : > $error .= "invalid title"; > $authorIN = (eregi("^[a-z\.\s]+$",$_POST['author'])) ? $_POST['author'] : > $error .= "invalid author"; > > $sql = "insert into table (title, author) values ('" . > mysql_real_escape_string($title) . "','" . > mysql_real_escape_string($authorIN) . "')"; > > //rest of code > ?> > > > >> -- >> >> Phil Jourdan --- pj@xxxxxxxxxxxxx >> http://www.ptahhotep.com >> http://www.chiccantine.com >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> I quote from earlier in the post: ========= Better: myql_query("INSERT INTO foo (`name`) VALUES ('". mysql_real_escape_string($name, $link) ."')"); This is better because we escape it in the sql statement itself. $name remains unchanged in case we want to use it later. Best: Use prepared statements! ========= What is meant by prepared stetements? Does that mean not using variables? Another quote: ======== Better: echo htmlspecialchars($name, ENT_QUOTES, 'UTF-8'); This is better because we don't trust the data at all. You don't know what it contains. People find all sorts of interesting ways of getting weird characters into the apps I write, so just cover all bases. Another way: Create a pre-escaped version of the content in the db. Keep the original value so that the user can edit it, but also create a 'clean' version that you can just echo out. Just make sure you don't mess up. ======= I'd like to be able to understand just what is meant by creating a "pre-escaped version of the content in the db" - I'd like to see an example. And what would the 'clean' version be, where would you put it or where is it supposed to be placed? -- unheralded genius: "A clean desk is the sign of a dull mind. " ------------------------------------------------------------- Phil Jourdan --- pj@xxxxxxxxxxxxx http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php