Re: I need a fresh look at storing variables in MySQL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, 2010-03-14 at 11:15 +0100, Rene Veerman wrote:

> On Sun, Mar 14, 2010 at 7:18 AM, Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> wrote:
> >
> > Tedd's perfectly capable of speaking for himself, but I can tell you
> > he's been on this list for a long time, and his skills are plenty
> > adequate for this task. He's just asking for second opinions.
> >
> Wouldn't someone with adequate DB skills know if he(/she) even needs
> to build a datamodel, and given the simplicity of this one, how? Based
> on what i mentioned earlier, type and amount of use of stored reports?
> 
> I don't mind noobishness in any area, but i have learned to keep code
> as simple as possible.
> 
> BTW;
> - as always, i recommend adodb.sf.net for DB abstractions.
> - if you are storing in DB and displaying from DB later you need to
> prevent code injections (sql, html, js, flash) by pushing all strings
> used in sql insert- and update-fields;
>  $sql = 'insert into table (field1_int, field2_string,etc) values
> ('.$field1.', "'.antiSQLinjection($field2).'", ...);
> 
> I'm using this function atm, maybe someone can improve upon it. This
> disables all sql injections, and strips all html, js & flash.
> 
> function antiSQLinjection ($string) {
> 
> //anti SQL injections:
>   if (phpversion() >= '4.3.0')
>   {
>     $string = mysql_real_escape_string($string);
>   }
>   else
>   {
>     $string = mysql_escape_string($string);
>   }
> 
>   if(get_magic_quotes_gpc())  // prevents duplicate backslashes
>   {
>     $string = stripslashes($string);
>   }
> 
> //anti HTML/JS/flash injections (into searchterms, for instance):
>   $string = strip_tags ($string);
> 
>   return $string;
> }
> 


That function won't always work. You're using a PHP version check for
mysql_real_escape_string() when the most likely failure point for it is
if no database connection has been opened.

Also, you shouldn't strip the tags from a string that's being inserted
into the database. strip_tags() is for the display of data on a web
page. It's best practice not to alter the actual data you've stored but
to convert it once it's displayed. Don't forget that the browser display
may not be the only use for that data.

Thanks,
Ash
http://www.ashleysheridan.co.uk
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux