On Thu, Feb 28, 2008 at 12:56 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:
>
>
> On Feb 28, 2008, at 12:39 PM, Eric Butera wrote:
>
> > On Thu, Feb 28, 2008 at 11:57 AM, Jason Pruim <[EMAIL PROTECTED]>
> > wrote:
> >>
> >>
> >> On Feb 28, 2008, at 11:28 AM, Eric Butera wrote:
> >>
> >>> On Wed, Feb 27, 2008 at 5:12 PM, Daniel Brown <[EMAIL PROTECTED]>
> >>> wrote:
> >>>> On Wed, Feb 27, 2008 at 4:55 PM, Jason Pruim <[EMAIL PROTECTED]>
> >>>> wrote:
> >>>>
> >>>>> function authentication($user, $pass, $authenticated,
> >>>>> $table){
> >>>>>
> >>>>> // Keep in mind, PASSWORD has meaning in
> >>>>> MySQL
> >>>>> // Do your string sanitizing here
> >>>>> // (e.g. - $user =
> >>>>> mysql_real_escape_string($_POST['user']);)
> >>>>> $salt = "salt";
> >>>>> $salt1 = $salt;
> >>>>> $salt1 .= $pass;
> >>>>>
> >>>>> $password = md5("$salt1");
> >>>>> $loginQuery = "SELECT * FROM current WHERE
> >>>>> loginName='".$user."'
> >>>>> AND loginPassword='".$password."' LIMIT 0,1;";
> >>>>> $loginResult = mysql_query($loginQuery) or
> >>>>> die("Wrong data supplied
> >>>>> or database error" .mysql_error());
> >>>>> while($row1 =
> >>>>> mysql_fetch_array($loginResult)) {
> >>>>> $_SESSION['user'] =
> >>>>> $row1['loginName'];
> >>>>> $_SESSION['loggedin'] = "YES";
> >>>>> $authenticated = "true";
> >>>>> $table = $row1['tableName'];
> >>>>>
> >>>>> }
> >>>>> return $table;
> >>>>> return $authenticated;
> >>>>> } \
> >>>>
> >>>
> >>> Guess all your posts stating to sanitize data just really don't have
> >>> an impact, huh? Perhaps you should stop posting code that doesn't
> >>> validate/escape as it will be copied and pasted as I've told you
> >>> before.
> >>
> >> The code for escaping and sanitizing the input is in a different
> >> module of the program. I actually do it right before sending it to my
> >> authentication function. I didn't see the need to post it since it
> >> wasn't related to the problem :)
> >>
> >> And the comments were from Mr. Brown who gave me the code originally
> >> that has now been adapted to use in a different program :)
> >>
> >
> > Your escaping should be right before you run the query, not somewhere
> > else. What if you change something around and take off the escaping
> > function? Or what if you decide to change your database connection?
> > Having it all in one spot makes it easier to make changes and know it
> > isn't going to bust.
>
>
> It's actually just before I call the function... The database
> connection is in a completely separate function from everything that
> we have been talking about... And all that's in that file is:
>
> $link= "false";
> function dbmysqlconnect($server, $username, $password, $database) {
> $link = mysql_connect($server, $username, $password,
> $database) or
> die('Could not connect: ' . mysql_error());
> mysql_select_db($database) or die('Could not select database:
> ' .
> mysql_error());
> return $link;
>
> }
>
>
Jason,
Keep in mind that data validation and escaping are two different
concepts. Data validation should happen as soon as you read the value
from the user to make sure that user names are long enough/not too
long, phone numbers or e-mail addresses contain only valid characters,
etc. That part should definitely be happening outside your function.
However, escaping should really only happen at the point it is needed,
and Dan's comments suggest a very good place for this to happen. (I
often put it even later - directly at the point it gets merged into
the string either through concatenation or through a function like
sprintf.) This is because the escape sequences are not part of the
actual data. Your application may need to use any of several different
character escaping functions (or no escaping at all) on the same value
depending on whether that value is going to a browser, a database, a
socket, an LDAP query, etc. This prevents you from having to write
lines like this:
$user = mysql_real_escape_string(stripslashes($user));
or this:
echo htmlspecialchars(stripslashes($my_text));
(This is one reason magic_quotes is such a Bad Idea[tm].)
[BTW - Who trademarked all these phrases on this list anyway? :-)]
What you have done may work and be quite safe. However, Eric pointed
out some very good reasons to keep the character escaping inside this
function.
Andrew
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
