Hi Richard, Oh my... I hate those pdf's :-(( Could someone tell me in some words what do I need to do beside mysql_real_escape_string() and Html input sanitizing? Thanks and sorry for the inconvenience) -- With best regards from Ukraine, Andre Skype: Francophile My blog: http://oire.org/menelion (mostly in Russian) Twitter: http://twitter.com/m_elensule Facebook: http://facebook.com/menelion ------------ Original message ------------ From: admin@xxxxxxxxxxxxxxxxxxx <admin@xxxxxxxxxxxxxxxxxxx> To: 'Jason Pruim' Date created: , 4:17:55 AM Subject: Filtering data not with mysql... To quote "Jonathan" Well, mysql_real_escape_string doesn't protect against sql injections more than addslashes, but that's not the reason you use it. addslashes() was from the developers of PHP whereas mysql_real_escape_string uses the underlying MySQL C++ API (i.e. from the developers of MySQL). mysql_real_escape_string escapes EOF chars, quotes, backslashes, carriage returns, nulls, and line feeds. There is also the charset aspect. However, it is a common thought among a lot of PHP programmers (beginning and even more advanced) that SQL injections are the only thing to guard against with sanitizing user input using it in a query. That, actually, is incorrect. If you only rely on *_escape_string and addslashes because you are only thinking about injections, you leave yourself vulnerable to attacks from users. http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf It's a nice read, especially if you like reading articles about PHP programming (*guilty*). Scroll down to page 78 where they talk about LIKE attacks. Richard L. Buskirk -----Original Message----- From: Jason Pruim [mailto:lists@xxxxxxxxxxxxxxxxxxxx] Sent: Wednesday, May 18, 2011 9:19 PM To: php-general@xxxxxxxxxxxxx Subject: Filtering data not with mysql... Hey Everyone, Probably a simple question but I wanted to make sure I was right before I got to far ahead of my self.... I have a form that I am working on and this form will be emailed to the recipient for processing (Not stored in a database). When I store in a database, I simply run all the data through mysql_real_escape_string() and it's all good... Without the database, is it just as easy as addslashes($var)? or is there more that needs to be done? In the end, the info will be echoed back out to the user to be viewed but not edited and emailed to someone to add the registration collect money, etc etc. Am I on the right track or do I need to rethink my whole process? :) Thanks Everyone! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
