Re: Filtering data not with mysql...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Richard,

Oh my... I hate those pdf's :-((
Could  someone  tell  me  in  some  words  what do I need to do beside
mysql_real_escape_string() and Html input sanitizing?
Thanks and sorry for the inconvenience)

-- 
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mostly in Russian)
Twitter: http://twitter.com/m_elensule
Facebook: http://facebook.com/menelion

------------ Original message ------------
From: admin@xxxxxxxxxxxxxxxxxxx <admin@xxxxxxxxxxxxxxxxxxx>
To: 'Jason Pruim'
Date created: , 4:17:55 AM
Subject:  Filtering data not with mysql...


      To quote "Jonathan"

Well, mysql_real_escape_string doesn't protect against sql injections more
than addslashes, but that's not the reason you use it. addslashes() was from
the developers of PHP whereas mysql_real_escape_string uses the underlying
MySQL C++ API (i.e. from the developers of MySQL). mysql_real_escape_string
escapes EOF chars, quotes, backslashes, carriage returns, nulls, and line
feeds. There is also the charset aspect.

However, it is a common thought among a lot of PHP programmers (beginning
and even more advanced) that SQL injections are the only thing to guard
against with sanitizing user input using it in a query. That, actually, is
incorrect. If you only rely on *_escape_string and addslashes because you
are only thinking about injections, you leave yourself vulnerable to attacks
from users.

http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf
It's a nice read, especially if you like reading articles about PHP
programming (*guilty*). Scroll down to page 78 where they talk about LIKE
attacks.


Richard L. Buskirk


-----Original Message-----
From: Jason Pruim [mailto:lists@xxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, May 18, 2011 9:19 PM
To: php-general@xxxxxxxxxxxxx
Subject:  Filtering data not with mysql...

Hey Everyone,

Probably a simple question but I wanted to make sure I was right  
before I got to far ahead of my self....

I have a form that I am working on and this form will be emailed to  
the recipient for processing (Not stored in a database).

When I store in a database, I simply run all the data through  
mysql_real_escape_string() and it's all good...  Without the database,  
is it just as easy as addslashes($var)? or is there more that needs to  
be done?

In the end, the info will be echoed back out to the user to be viewed  
but not edited and emailed to someone to add the registration collect  
money, etc etc.

Am I on the right track or do I need to rethink my whole process? :)

Thanks Everyone!



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux