Re: Slashes or no slashes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On Aug 23, 2010, at 11:38 PM, Karl DeSaulniers wrote:



On Aug 23, 2010, at 10:35 PM, Chris wrote:




Just to make sure, cause I am ready to get past this.
Is this correct?

function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."'";


Perfect.


/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray['password']); // Or is 
this where I need to leave htmlspecialchars off too?


Leave it off.
You're not displaying $dbarray['password'] here - so you don't need to use htmlspecialchars. 

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Got it. So only when I am going to diplay the result from the database. I see. But for comparing $dbarray['password'] to $password, don't I have to escape $password and then md5 it? 
TIA


Karl DeSaulniers
Design Drumm
http://designdrumm.com
@david.lopez: Your emails are getting blocked by my isp, so I have not seen any of your emails. Not ignoring you, promise. 

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
In the case that your comparing a field to a field in the database (the field name) 
do you escape that or because it is hardcoded you dont need to?
My thoughts are that you need to escape all data going in.
But I do not know if it will match.

EG:

   /**
    * updateProduct */
   function updateProduct($ProductName, $field, $value){
$q = "UPDATE ".TBL_PRODUCTS." SET ".$field." = '".mysql_real_escape_string($value)."' WHERE ProductName = '".mysql_real_escape_string($ProductName)."'"; 
      return $this->query($q);
   }

Do I escape $field?  mysql_real_escape_string($field)?
$field is not a user entered value, but should I escape to block hacks?
If $field = "username", will mysql_real_escape_string($field) match?
My thoughts are yes because there are no special character in my hardcode and if there was an attempt to do an injection with this var, it would catch it. 
am I on the right path with my thoughts?
TIA

Karl DeSaulniers
Design Drumm
http://designdrumm.com


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux