> -----Original Message----- > From: tedd [mailto:[EMAIL PROTECTED] > Sent: 26 May 2006 02:27 > To: Chrome; 'tedd'; [EMAIL PROTECTED] > Cc: 'Eric Butera'; 'php' > Subject: RE: [PHP] Filtering (was storing single and double quote in > MySQL) > > At 11:51 PM +0100 5/25/06, Chrome wrote: > >[snip] > >1. Anytime you put anything into a dB then use > >mysql_real_escape_string() function. If you are NOT going to put it > >in a dB, then you don't need mysql_real_escape_string() function -- > >understand? > >[/snip] > > > >Untrue... It isn't just inserting into a DB that requires this > function... > >Consider: > > > >User enters: > >anything'; DROP TABLE x; SELECT 'a' = 'a > > > >into the form for username... Now your unescaped SQL statement reads: > > > >UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE > x; > >SELECT 'a' = 'a' > > > >Where x can be a brute-forced table name... I can't remember if MySQL > allows > >multiple statements but I seem to remember hearing that MySQL5 does... If > >I'm wrong correct me and tell me to RTFM :) > > > >Nice catch on the error... I didn't notice that :) > > > >HTH (and that I'm right :) ) > > > >Dan > > Dan: > > A couple of things: One, I'm not sure if afan understands multiple > statements, so I didn't want to confuse him; Two, I don't use > multiple statements because they confuse me. I'm much more of a > step-by-step programmer.
I don't use them either; hence my uncertainty :) > I find that sometimes it's best to provide something simple for > someone to learn rather than confuse them with remote possibilities. > I taught at college level and believe me when I say there is nothing > dumber than a student. Baby steps are best -- and the same for me > when I'm learning as well. I'm still learning... very much so... which is why all my advice is subject to correction by a higher mortal... step forward, you know who you are :) > In the exchange I had with afan, we were talking about placing data > into a dB without the need for escapes and I think the advice I gave > him was correct. Never doubted that :)... I have seen much of your advice > I realize that there are exceptions to just about anything IF you dig > deep enough. For example did you know that if magic_quotes are turned > ON and you use escape_data() that function will use > mysql_real_escape_string(). So, here's an example that proves your > point, but if I was to inform afan of that, what good would it do? > Knowing that hasn't done anything for me. I only sought to provide knowledge... knowing the pitfalls regardless of how bad the advice is set out/worded surely must be good Security should be foremost and ignorance no excuse... That's not to say anyone can't make a mistake :) > > In any event, your point is well taken -- thanks for the clarification. > > tedd > > -- > -------------------------------------------------------------------------- > ---------- > http://sperling.com http://ancientstones.com http://earthstones.com > > __________ NOD32 1.1559 (20060525) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com Dan -- http://chrome.me.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
