Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 25/01/2008, Jim Lucas <[EMAIL PROTECTED]> wrote: > That should be considered part of the DRY method. But spanning page > requests. > > I cannot see any reason why you shouldn't be doing this before you > insert this information into your DB. Doing it once on your insert, > instead of every single page request would seen to me a much better use > of resources. > > If you are needing to have the tags in the DB, what I would do is have > add second column in your DB. One that contains the clean version and > one that contains the marked up version. Then you are not doing so much > work on each page load, and you are able to retain the marked up version > for editing ( i assume ) I will do as you suggest here, as disk space is cheaper than processor time. Thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Richard Lynch wrote:
On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT somewhere; But you
are escaping the output to MySQL so that it is not going to execute
arbitrary SQL on your DB server.
After I pull the info out of the database, before it goes to the
webbrowser, it goes through this:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
The strip_tags should probably have been done before it ever went into
the database, as part of INPUT FILTERING rather than escaping
output...
That should be considered part of the DRY method. But spanning page
requests.
I cannot see any reason why you shouldn't be doing this before you
insert this information into your DB. Doing it once on your insert,
instead of every single page request would seen to me a much better use
of resources.
If you are needing to have the tags in the DB, what I would do is have
add second column in your DB. One that contains the clean version and
one that contains the marked up version. Then you are not doing so much
work on each page load, and you are able to retain the marked up version
for editing ( i assume )
$clean=htmlentities($dirty);
return $clean;
}
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
×-ב-×’-ד-×”-ו-×–-×—-ט-×™-ך-×›-ל-×-מ-ן-×
-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
Jim Lucas
"Some men are born to greatness, some achieve greatness,
and some have greatness thrust upon them."
Twelfth Night, Act II, Scene V
by William Shakespeare
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
> On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
>> It is NOT safe from, say, XSS attack if $evilString contains an XSS
>> snippet and you re-display it on your site.
>>
>> In other words, you should still filter the INPUT somewhere; But you
>> are escaping the output to MySQL so that it is not going to execute
>> arbitrary SQL on your DB server.
>
> After I pull the info out of the database, before it goes to the
> webbrowser, it goes through this:
>
> function clean_html ($dirty) {
> $dirty=strip_tags($dirty);
The strip_tags should probably have been done before it ever went into
the database, as part of INPUT FILTERING rather than escaping
output...
> $clean=htmlentities($dirty);
> return $clean;
> }
>
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
> ×-×-×-×-×-×-×-×-×-×-×-×-×-×-×-×-×
-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 24/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote: > That won't save you if you're echoing into a single quote attribute. > (ie: src='') Even after I've stripped away the tags with strip_tags()? > Like htmlspecialchars(), the optional second quote_style parameter > lets you define what will be done with 'single' and "double" quotes. > It takes on one of three constants with the default being ENT_COMPAT: > > ENT_COMPAT Will convert double-quotes and leave single-quotes alone. > > > You might want to just use: htmlspecialchars($string, ENT_QUOTES); I'm heading over to the manpage to look at that now, thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 24, 2008 1:03 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> > It is NOT safe from, say, XSS attack if $evilString contains an XSS
> > snippet and you re-display it on your site.
> >
> > In other words, you should still filter the INPUT somewhere; But you
> > are escaping the output to MySQL so that it is not going to execute
> > arbitrary SQL on your DB server.
>
> After I pull the info out of the database, before it goes to the
> webbrowser, it goes through this:
>
> function clean_html ($dirty) {
> $dirty=strip_tags($dirty);
> $clean=htmlentities($dirty);
> return $clean;
> }
>
>
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
That won't save you if you're echoing into a single quote attribute.
(ie: src='')
Like htmlspecialchars(), the optional second quote_style parameter
lets you define what will be done with 'single' and "double" quotes.
It takes on one of three constants with the default being ENT_COMPAT:
ENT_COMPAT Will convert double-quotes and leave single-quotes alone.
You might want to just use: htmlspecialchars($string, ENT_QUOTES);
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> It is NOT safe from, say, XSS attack if $evilString contains an XSS
> snippet and you re-display it on your site.
>
> In other words, you should still filter the INPUT somewhere; But you
> are escaping the output to MySQL so that it is not going to execute
> arbitrary SQL on your DB server.
After I pull the info out of the database, before it goes to the
webbrowser, it goes through this:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Thu, January 24, 2008 10:01 am, Dotan Cohen wrote:
> On 24/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
>> > Which basically is the same as a simple mysql_real_escape_string?
>> In
>> > other words, mysql_real_escape_string itself is safe from SQL
>> > injection?
>>
>> not exactly - it assumes you will use the value as a quoted string
>> in a query.
>>
>> $s = clean_mysql("foo -- bar ; ' qux")
>> $q = "INSERT INTO foo (bar) VALUES ('$s')";
>
> Ah, we've gotten to the meat. So long as there as single quotes around
> the data that has gone through mysql_real_escape_string there is no
> danger of SQL injection? So this is safe:
> mysql_query("
> INSERT INTO
> foo (bar)
> VALUES (
> '".mysql_real_escape_string($evilString)."'
> )");
It is safe from SQL injection.
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT somewhere; But you
are escaping the output to MySQL so that it is not going to execute
arbitrary SQL on your DB server.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 11:28 pm, Dotan Cohen wrote: > In > other words, mysql_real_escape_string itself is safe from SQL > injection? Yes. That is the entire purpose of the existence of that function in the first place. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 24/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> > Which basically is the same as a simple mysql_real_escape_string? In
> > other words, mysql_real_escape_string itself is safe from SQL
> > injection?
>
> not exactly - it assumes you will use the value as a quoted string in a query.
>
> $s = clean_mysql("foo -- bar ; ' qux")
> $q = "INSERT INTO foo (bar) VALUES ('$s')";
Ah, we've gotten to the meat. So long as there as single quotes around
the data that has gone through mysql_real_escape_string there is no
danger of SQL injection? So this is safe:
mysql_query("
INSERT INTO
foo (bar)
VALUES (
'".mysql_real_escape_string($evilString)."'
)");
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef:
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
Is the "--" here not treated as the beginning of an SQL comment?
No, because it is inside the apostrophes.
The purpose of mysql_real_escape_string (or using prepared statements)
is to mark up (or separate) the DATA from the QUERY.
The data about to be put into the database being escaped by
mysql_real_escape_string is sufficient to be sure nobody is playing
games with apostrophe followed by -- which could, in theory, insert an
SQL comment or allow them to execute arbitrary SQL code.
In that case, the function:
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
Can be reduced to:
function clean_mysql ($dirty) {
$clean=mysql_real_escape_string($dirty);
return $clean;
}
or even:
function clean_mysql ($dirty)
{
return mysql_real_escape_string($dirty);
}
although I would make it part of a DB connection object so that
you can explicitly and transparently pass in the link id.
class myDBC
{
private $link;
function __construct($u, $p, $db, $cs)
{
// connect to given $db or throw exception
}
function cleanStr($s)
{
return mysql_real_escape_string($s, $this->link);
}
}
just a thought.
Which basically is the same as a simple mysql_real_escape_string? In
other words, mysql_real_escape_string itself is safe from SQL
injection?
not exactly - it assumes you will use the value as a quoted string in a query.
$s = clean_mysql("foo -- bar ; ' qux")
$q = "INSERT INTO foo (bar) VALUES ('$s')";
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
> > Is the "--" here not treated as the beginning of an SQL comment?
>
> No, because it is inside the apostrophes.
>
> The purpose of mysql_real_escape_string (or using prepared statements)
> is to mark up (or separate) the DATA from the QUERY.
>
> The data about to be put into the database being escaped by
> mysql_real_escape_string is sufficient to be sure nobody is playing
> games with apostrophe followed by -- which could, in theory, insert an
> SQL comment or allow them to execute arbitrary SQL code.
In that case, the function:
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
Can be reduced to:
function clean_mysql ($dirty) {
$clean=mysql_real_escape_string($dirty);
return $clean;
}
Which basically is the same as a simple mysql_real_escape_string? In
other words, mysql_real_escape_string itself is safe from SQL
injection?
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 3:30 pm, Chris wrote: > >> Right now I still use mysql_escape_string and it seems to work fine, >> but it makes me nervous as everything else I use is mysqli and I >> know >> it is not 100% compatible (just haven't had anything break it yet) - >> but I hate having to have a connection handle open just to escape >> things. > > If you need to escape something you're going to do a query aren't you? > Or am I missing something here? One Example: Perhaps you have a zillion chunks of data which you wish to cram into a text file for insertion on a different box at a later time, as quickly as possible, without the encoding happening on that box, for whatever reason... Not, perhaps, the most common scenario, and not, perhaps, the best way to solve whatever led there, but it's not a totally unreasonable thing. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 3:18 pm, Dotan Cohen wrote: > I think it was here on this list that we saw an example of SQL > injection despite the use of mysql_escape_string. Some funky Asian > charset was used, no? I don't know that I'd call it funky, but yes. Without the "real" MySQL does not know what charset you are using. Without the charset, MySQL does not know what character codes to escape. Without that, characters that it thinks are "fine" because it assumes Latin-1 (or whatever) are not, in fact, "fine" because they are NOT Latin-1. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote: > Is the "--" here not treated as the beginning of an SQL comment? No, because it is inside the apostrophes. The purpose of mysql_real_escape_string (or using prepared statements) is to mark up (or separate) the DATA from the QUERY. The data about to be put into the database being escaped by mysql_real_escape_string is sufficient to be sure nobody is playing games with apostrophe followed by -- which could, in theory, insert an SQL comment or allow them to execute arbitrary SQL code. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Chuck schreef: On Jan 22, 2008 7:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote: I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) I was thinking about checking if there is a connection, and if not then connecting. This seems redundant to me, however. What is the list's opinion of this situation? Thanks in advance. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? Why not write a function that does the same thing? mysql_real_escape_strings is a very simple function. And if your data is properly normalized and you don't support other charsets its very simple. does simple include detection of characters that are multiple bytes in length? given that he uses UTF-8 which is a using variable byte encoding scheme. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 1/23/08, Chris <[EMAIL PROTECTED]> wrote: > If you need to escape something you're going to do a query aren't you? > Or am I missing something here? true. but i typically have everything in wrapper functions, and i don't keep the actual resource variable exposed to use it (since it needs a resource) would be great just to have a string escape with charset, or just pass it the charset and not the db connection handle. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 24/01/2008, Chuck <[EMAIL PROTECTED]> wrote: > > Why not write a function that does the same thing? > mysql_real_escape_strings is a very simple function. And if your data > is properly normalized and you don't support other charsets its very > simple. > Maintenance and security seem to be two very good reasons to use the built in function. Do the more experienced in attendance think differently? Should I go ahead and reimplement the function specific to the UTF-8 charset? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 22, 2008 7:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote: > I have a file of my own functions that I include in many places. One > of them uses mysql_real_escape_string, however, it may be called in a > context that will or will not connect to a mysql server, and worse, > may already be connected. So I must avoid connecting. However, when I > run the script without connecting I get this error: > > Warning: mysql_real_escape_string() > [function.mysql-real-escape-string]: Access denied for user: > '[EMAIL PROTECTED]' (Using password: NO) > > I was thinking about checking if there is a connection, and if not > then connecting. This seems redundant to me, however. What is the > list's opinion of this situation? Thanks in advance. > > Dotan Cohen > > http://what-is-what.com > http://gibberish.co.il > א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת > > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > Why not write a function that does the same thing? mysql_real_escape_strings is a very simple function. And if your data is properly normalized and you don't support other charsets its very simple.
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> Dotan Cohen schreef:
> > I'm not accepting "--" at all until someone can show me a real world
> > case where one would use it, without the intention of SQL injection.
> > How can it be escaped, anyway?
>
> I might just want to put '--' in a textfield used as the basis for content
> for a webpage. just because I want to. the most pertinent example are wikis,
> they use '--' as markup (which is usually transformed into an when the
> results are output for viewing ... but obviously you want the original markup
> when editing.
Just because I want to is not a real world example. The wiki bit is.
> INSERT INTO foo (textfield) VALUES ('--');
>
> nothing to escape in the case of a those chars being part of a string, the
> escaping
> mechanism [hopefully] ensures that a given string will never contain a byte
> sequence that
> the query parser will misinterpret as a sign to end the string (before the
> last intend quote
> delimiter) prematurely and thereby treat the remainder of the input string as
> SQL.
Is the "--" here not treated as the beginning of an SQL comment?
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Chris <[EMAIL PROTECTED]> wrote: > > I'm not accepting "--" at all until someone can show me a real world > > case where one would use it, without the intention of SQL injection. > > How can it be escaped, anyway? > > Depends on your app. > > -- is an accepted things in emails as a marker for signatures. You win that one. > Also in mysql_query ; is automatically handled, you can't send multiple > queries to mysql_query and have them execute. > > mysql_query() sends an unique query (multiple queries are not supported) Very nice to know this. Thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.
I'm not accepting "--" at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?
I might just want to put '--' in a textfield used as the basis for content
for a webpage. just because I want to. the most pertinent example are wikis,
they use '--' as markup (which is usually transformed into an when the
results are output for viewing ... but obviously you want the original markup
when editing.
INSERT INTO foo (textfield) VALUES ('--');
nothing to escape in the case of a those chars being part of a string, the
escaping
mechanism [hopefully] ensures that a given string will never contain a byte
sequence that
the query parser will misinterpret as a sign to end the string (before the last
intend quote
delimiter) prematurely and thereby treat the remainder of the input string as
SQL.
filter each piece of data
validate each piece of data
escape each peice of data for each context in which it will be output.
I see that you have more experience than I!
imho your functions are conceptually wrong and not very robust either -
don't take it as a personal attack - I'm very sure if we sat down with *some*
of my code the same critism could be made to more or lesser extent :-) ...
"getting better all the time" as they sang once ;-)
I never thought that was a personal attack, not for a second. Rather,
I very much appreciate the time you take to explain to me my errors.
And I intend to learn from them. For the time being, I'll leave the
code as it is. However, for future projects, I will make a point of
separating the different functions. Thanks.
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen wrote: On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote: I can read, I saw 2 functions the first time. each function cleans *and* escapes. cleaning is filtering of input. escaping is preparing for output. 2 concepts. I see your point. if the input needs to be stripped of html then it needs that regardless of the output vector. again removing or not-accepting input if it contains '--' is a question of filtering/validation ... besides which '--' is quite acceptable for data stored in a text field but not for a numeric one. I'm not accepting "--" at all until someone can show me a real world case where one would use it, without the intention of SQL injection. How can it be escaped, anyway? Depends on your app. -- is an accepted things in emails as a marker for signatures. Also in mysql_query ; is automatically handled, you can't send multiple queries to mysql_query and have them execute. mysql_query() sends an unique query (multiple queries are not supported) Not sure why the php guys have only done that for mysql_query but there you go :) -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Right now I still use mysql_escape_string and it seems to work fine, but it makes me nervous as everything else I use is mysqli and I know it is not 100% compatible (just haven't had anything break it yet) - but I hate having to have a connection handle open just to escape things. If you need to escape something you're going to do a query aren't you? Or am I missing something here? -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen wrote: On 23/01/2008, mike <[EMAIL PROTECTED]> wrote: It would be Real Nifty (tm) if the MySQL API had a function that let you specify the charset without a connection and did the escaping. Presumably you don't NEED a connection if you already know what charset thingie you are aiming at... I concur - it would be nice to have the capability to have a normal string escape function and give it a character set. I mean we should all be using utf-8 anyway, right? I'd be interested in hearing an argument against UTF-8, other than the disk space argument. Right now I still use mysql_escape_string and it seems to work fine, but it makes me nervous as everything else I use is mysqli and I know it is not 100% compatible (just haven't had anything break it yet) - but I hate having to have a connection handle open just to escape things. I think it was here on this list that we saw an example of SQL injection despite the use of mysql_escape_string. Some funky Asian charset was used, no? Nope. This article explains all I think: http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote: > I can read, I saw 2 functions the first time. each function cleans *and* > escapes. > > cleaning is filtering of input. > escaping is preparing for output. > > 2 concepts. I see your point. > if the input needs to be stripped of html then it needs that regardless > of the output vector. again removing or not-accepting input if it contains > '--' is a question of filtering/validation ... besides which '--' is quite > acceptable for data stored in a text field but not for a numeric one. I'm not accepting "--" at all until someone can show me a real world case where one would use it, without the intention of SQL injection. How can it be escaped, anyway? > filter each piece of data > validate each piece of data > escape each peice of data for each context in which it will be output. I see that you have more experience than I! > imho your functions are conceptually wrong and not very robust either - > don't take it as a personal attack - I'm very sure if we sat down with *some* > of my code the same critism could be made to more or lesser extent :-) ... > "getting better all the time" as they sang once ;-) I never thought that was a personal attack, not for a second. Rather, I very much appreciate the time you take to explain to me my errors. And I intend to learn from them. For the time being, I'll leave the code as it is. However, for future projects, I will make a point of separating the different functions. Thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote: > There isn't a reason to go and report a bug as their stuff works fine. I would have filed a wish, not a bug. They are both filed in the bugzillas that I'm familiar with. In any case, I'm not filing as I've no account there and I'll not be filing many bugs for that software. If someone else wants to file a wish, be my guest. > If you know you have utf8 and all that jazz then fine. The only > reason you should use mysql escaping is right before you put a value > into the database. To put a value in the database you must have a > connection. So this really is a non-issue in my opinion. No, I sanitize the values, and only then I decide if the value (now sanitized and safe to work with) should go to the database. And only if it's going to the database do I open a connection. > Look at mysqli or pdo and start working with prepared statements. :) Thanks, I will take a look at those! Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, mike <[EMAIL PROTECTED]> wrote: > > > It would be Real Nifty (tm) if the MySQL API had a function that let > > > you specify the charset without a connection and did the escaping. > > > > > > Presumably you don't NEED a connection if you already know what > > > charset thingie you are aiming at... > > I concur - it would be nice to have the capability to have a normal > string escape function and give it a character set. I mean we should > all be using utf-8 anyway, right? I'd be interested in hearing an argument against UTF-8, other than the disk space argument. > Right now I still use mysql_escape_string and it seems to work fine, > but it makes me nervous as everything else I use is mysqli and I know > it is not 100% compatible (just haven't had anything break it yet) - > but I hate having to have a connection handle open just to escape > things. I think it was here on this list that we saw an example of SQL injection despite the use of mysql_escape_string. Some funky Asian charset was used, no? Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote: > On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote: > > On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote: > >> On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote: > > However, I do not think that the script should throw an error until I > > actually call mysql_clean. Merely having it in an include should not > > throw an error if the function is not being used. > > If you get it to throw an error for a connection not present, then you > ARE calling the function. I just reviewed the code, and you are right. I call the include for the database connection (from outside the public directory) just before the mysql_query, which is _after_ I've cleaned the variables. > You may not know where you called it in your rats' nest of OOP, but > you are calling it. :-) :-) :-) Yes, I was. > The only errors PHP throws without calling functions are parse errors. Good to know. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
you don't understand what I mean.
input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated data
for each output (output to mysql, output to browser, etc)
Exactly. However, before going to the database, things get a healthy
dose of filtering specific to that medium. I don't need no Little
Bobby Tables slipping through. Likewise for data being output to HTML:
nobody would appreciate getting XSSed on my sites.
2 distinct concepts, which shouldn't be rolled into single functions. imho.
They aren't what you saw are two separate functions. Here they are again:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.
filter each piece of data
validate each piece of data
escape each peice of data for each context in which it will be output.
imho your functions are conceptually wrong and not very robust either -
don't take it as a personal attack - I'm very sure if we sat down with *some*
of my code the same critism could be made to more or lesser extent :-) ...
"getting better all the time" as they sang once ;-)
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 23, 2008 2:37 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote: > On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote: > > Back to the original question... > > > > I suppose you could use mysql_escape_string (note the lack of "real") > > in the short term... > > I'd rather not. There is no short term. > > > It would be Real Nifty (tm) if the MySQL API had a function that let > > you specify the charset without a connection and did the escaping. > > > > Presumably you don't NEED a connection if you already know what > > charset thingie you are aiming at... > > > > Or maybe I'm not understanding something... > > You are understanding. I'm heading over to the mysql bugzilla now... > > > Dotan Cohen > > http://what-is-what.com > http://gibberish.co.il > א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת > > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > There isn't a reason to go and report a bug as their stuff works fine. If you know you have utf8 and all that jazz then fine. The only reason you should use mysql escaping is right before you put a value into the database. To put a value in the database you must have a connection. So this really is a non-issue in my opinion. Look at mysqli or pdo and start working with prepared statements. :)
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
> > It would be Real Nifty (tm) if the MySQL API had a function that let > > you specify the charset without a connection and did the escaping. > > > > Presumably you don't NEED a connection if you already know what > > charset thingie you are aiming at... I concur - it would be nice to have the capability to have a normal string escape function and give it a character set. I mean we should all be using utf-8 anyway, right? Right now I still use mysql_escape_string and it seems to work fine, but it makes me nervous as everything else I use is mysqli and I know it is not 100% compatible (just haven't had anything break it yet) - but I hate having to have a connection handle open just to escape things. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote: > On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote: >> On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote: > However, I do not think that the script should throw an error until I > actually call mysql_clean. Merely having it in an include should not > throw an error if the function is not being used. If you get it to throw an error for a connection not present, then you ARE calling the function. You may not know where you called it in your rats' nest of OOP, but you are calling it. :-) :-) :-) The only errors PHP throws without calling functions are parse errors. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote: > Back to the original question... > > I suppose you could use mysql_escape_string (note the lack of "real") > in the short term... I'd rather not. There is no short term. > It would be Real Nifty (tm) if the MySQL API had a function that let > you specify the charset without a connection and did the escaping. > > Presumably you don't NEED a connection if you already know what > charset thingie you are aiming at... > > Or maybe I'm not understanding something... You are understanding. I'm heading over to the mysql bugzilla now... Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Wed, January 23, 2008 11:47 am, Dotan Cohen wrote: > On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote: >> for each output (output to mysql, output to browser, etc) Back to the original question... I suppose you could use mysql_escape_string (note the lack of "real") in the short term... It would be Real Nifty (tm) if the MySQL API had a function that let you specify the charset without a connection and did the escaping. Presumably you don't NEED a connection if you already know what charset thingie you are aiming at... Or maybe I'm not understanding something... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote: > On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote: > > I have a file of my own functions that I include in many places. One > > of them uses mysql_real_escape_string, however, it may be called in a > > context that will or will not connect to a mysql server, and worse, > > may already be connected. So I must avoid connecting. However, when I > > run the script without connecting I get this error: > > > > Warning: mysql_real_escape_string() > > [function.mysql-real-escape-string]: Access denied for user: > > '[EMAIL PROTECTED]' (Using password: NO) > > > > I was thinking about checking if there is a connection, and if not > > then connecting. This seems redundant to me, however. What is the > > list's opinion of this situation? Thanks in advance. > > > > Dotan Cohen > > > > http://what-is-what.com > > http://gibberish.co.il > > א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת > > > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > > > By not connecting to the server you don't have the correct context for > using mysql real escape string, therefore it is pointless. > Yes, I realize this. Note that I _always_ connect via UTF-8, so I'd like to tell mysql_real_escape_string to do it's magic as if I were connected via UTF-8. I realize that this is impossible. However, I do not think that the script should throw an error until I actually call mysql_clean. Merely having it in an include should not throw an error if the function is not being used. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote: > I have a file of my own functions that I include in many places. One > of them uses mysql_real_escape_string, however, it may be called in a > context that will or will not connect to a mysql server, and worse, > may already be connected. So I must avoid connecting. However, when I > run the script without connecting I get this error: > > Warning: mysql_real_escape_string() > [function.mysql-real-escape-string]: Access denied for user: > '[EMAIL PROTECTED]' (Using password: NO) > > I was thinking about checking if there is a connection, and if not > then connecting. This seems redundant to me, however. What is the > list's opinion of this situation? Thanks in advance. > > Dotan Cohen > > http://what-is-what.com > http://gibberish.co.il > א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת > > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > By not connecting to the server you don't have the correct context for using mysql real escape string, therefore it is pointless.
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Jan 23, 2008 10:03 AM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 23/01/2008, James Ausmus <[EMAIL PROTECTED]> wrote:
> > Try using the mysql_ping() command to check to see if your connection
> > is available:
> >
> > http://us2.php.net/manual/en/function.mysql-ping.php
> >
> > something like:
> >
> > >
> > if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get
> > connected, it will display a warning - suppress so users don't see
> > {
> > connectToDB();> }
> >
> > mysql_real_escape_string('stuff');
> >
> > ?>
> >
> > HTH-
> >
> > James
> >
>
> I was thinking about that, but the problem is that if there is no
> connection, then the include is called and doesn't provide the
> mysql_clean function that I expect that it would. Then, I make a
> connection and use the function, expecting it to clean my data and it
> doesn't.
You should be able to have the best of both worlds - it shouldn't have
to be an either/or:
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
if ([EMAIL PROTECTED]())
{
functionThatConnectsToMySQL();
}
$clean=mysql_real_escape_string($dirty);
return $clean;
}
This will connect if not connected, but either way it will still run
the mysql_real_escape_string function - it's not inside an else
statement...
-James
>
>
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, James Ausmus <[EMAIL PROTECTED]> wrote:
> Try using the mysql_ping() command to check to see if your connection
> is available:
>
> http://us2.php.net/manual/en/function.mysql-ping.php
>
> something like:
>
>
> if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get
> connected, it will display a warning - suppress so users don't see
> {
> connectToDB();> }
>
> mysql_real_escape_string('stuff');
>
> ?>
>
> HTH-
>
> James
>
I was thinking about that, but the problem is that if there is no
connection, then the include is called and doesn't provide the
mysql_clean function that I expect that it would. Then, I make a
connection and use the function, expecting it to clean my data and it
doesn't.
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Try using the mysql_ping() command to check to see if your connection
is available:
http://us2.php.net/manual/en/function.mysql-ping.php
something like:
HTH-
James
On Jan 22, 2008 6:04 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> >
> >
> > On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
> > > I have a file of my own functions that I include in many places. One
> > > of them uses mysql_real_escape_string, however, it may be called in a
> > > context that will or will not connect to a mysql server, and worse,
> > > may already be connected. So I must avoid connecting. However, when I
> > > run the script without connecting I get this error:
> >
> > Don't do that?
> > :-)
> >
> > Can the file really do anything useful without the DB?
>
> The file defines some of my own functions, like these:
>
> function clean_html ($dirty) {
> $dirty=strip_tags($dirty);
> $clean=htmlentities($dirty);
> return $clean;
> }
>
> function clean_mysql ($dirty) {
> $dirty=str_replace ("--", "", $dirty);
> $dirty=str_replace (";", "", $dirty);
> $clean=mysql_real_escape_string($dirty);
> return $clean;
> }
>
> I use these functions in many places, so I simply put them all in a
> file and include it in each page.
>
> > When there *IS* a connection, how do you access it?
>
> mysql_fetch_array or mysql_result
>
> > Can't the file check somehow?
>
> I suppose that it could, by checking the return of one of the two
> functions above. Lucky for me, I always use UTF-8 so I won't get stuck
> connecting with one encoding yet doing mysql_real_escape_string with
> another, which would be a problem if I had to deal with multiple
> encodings.
>
>
> Dotan Cohen
>
> http://what-is-what.com
> http://gibberish.co.il
> א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> you don't understand what I mean.
>
> input filtering is a seperate task to output filtering.
> you filter and validate all input to the script regardless of
> how you are going to use it. THEN you escape the filtered, validated data
> for each output (output to mysql, output to browser, etc)
Exactly. However, before going to the database, things get a healthy
dose of filtering specific to that medium. I don't need no Little
Bobby Tables slipping through. Likewise for data being output to HTML:
nobody would appreciate getting XSSed on my sites.
> 2 distinct concepts, which shouldn't be rolled into single functions. imho.
They aren't what you saw are two separate functions. Here they are again:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
The file defines some of my own functions, like these:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
your functions mix 2 concepts - input filtering and output escaping,
they should be seperate actions.
They are separate actions. One is on (for example) accept.php and the
other on display.php. However, there are tens of pages which accept
info, and tens of others which display info. And these are just two
functions: I have quite a few more. It would be impossible to break
them up into separate include pages because I'd be including 90% of
them on each page anyway.
you don't understand what I mean.
input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated data
for each output (output to mysql, output to browser, etc)
2 distinct concepts, which shouldn't be rolled into single functions. imho.
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> > The file defines some of my own functions, like these:
> >
> > function clean_html ($dirty) {
> > $dirty=strip_tags($dirty);
> > $clean=htmlentities($dirty);
> > return $clean;
> > }
> >
> > function clean_mysql ($dirty) {
> > $dirty=str_replace ("--", "", $dirty);
> > $dirty=str_replace (";", "", $dirty);
> > $clean=mysql_real_escape_string($dirty);
> > return $clean;
> > }
>
> your functions mix 2 concepts - input filtering and output escaping,
> they should be seperate actions.
They are separate actions. One is on (for example) accept.php and the
other on display.php. However, there are tens of pages which accept
info, and tens of others which display info. And these are just two
functions: I have quite a few more. It would be impossible to break
them up into separate include pages because I'd be including 90% of
them on each page anyway.
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen schreef:
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected. So I must avoid connecting. However, when I
run the script without connecting I get this error:
Don't do that?
:-)
Can the file really do anything useful without the DB?
The file defines some of my own functions, like these:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
your functions mix 2 concepts - input filtering and output escaping,
they should be seperate actions.
I use these functions in many places, so I simply put them all in a
file and include it in each page.
When there *IS* a connection, how do you access it?
mysql_fetch_array or mysql_result
Can't the file check somehow?
I suppose that it could, by checking the return of one of the two
functions above. Lucky for me, I always use UTF-8 so I won't get stuck
connecting with one encoding yet doing mysql_real_escape_string with
another, which would be a problem if I had to deal with multiple
encodings.
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
>
>
> On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
> > I have a file of my own functions that I include in many places. One
> > of them uses mysql_real_escape_string, however, it may be called in a
> > context that will or will not connect to a mysql server, and worse,
> > may already be connected. So I must avoid connecting. However, when I
> > run the script without connecting I get this error:
>
> Don't do that?
> :-)
>
> Can the file really do anything useful without the DB?
The file defines some of my own functions, like these:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
I use these functions in many places, so I simply put them all in a
file and include it in each page.
> When there *IS* a connection, how do you access it?
mysql_fetch_array or mysql_result
> Can't the file check somehow?
I suppose that it could, by checking the return of one of the two
functions above. Lucky for me, I always use UTF-8 so I won't get stuck
connecting with one encoding yet doing mysql_real_escape_string with
another, which would be a problem if I had to deal with multiple
encodings.
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote: > I have a file of my own functions that I include in many places. One > of them uses mysql_real_escape_string, however, it may be called in a > context that will or will not connect to a mysql server, and worse, > may already be connected. So I must avoid connecting. However, when I > run the script without connecting I get this error: Don't do that? :-) Can the file really do anything useful without the DB? When there *IS* a connection, how do you access it? Can't the file check somehow? -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
On 23/01/2008, Chris <[EMAIL PROTECTED]> wrote: > Dotan Cohen wrote: > > I have a file of my own functions that I include in many places. One > > of them uses mysql_real_escape_string, however, it may be called in a > > context that will or will not connect to a mysql server, and worse, > > may already be connected. So I must avoid connecting. However, when I > > run the script without connecting I get this error: > > > > Warning: mysql_real_escape_string() > > [function.mysql-real-escape-string]: Access denied for user: > > '[EMAIL PROTECTED]' (Using password: NO) > > > > I was thinking about checking if there is a connection, and if not > > then connecting. This seems redundant to me, however. What is the > > list's opinion of this situation? Thanks in advance. > > real_escape_string needs a connection so it knows what encoding and > charset the database supports. > > No way around it sorry :) > Ah, now that is a good reason. This is becoming problematic... Thanks. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
Re: [PHP] Using mysql_real_escape_string without connecting to mysql
Dotan Cohen wrote: I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) I was thinking about checking if there is a connection, and if not then connecting. This seems redundant to me, however. What is the list's opinion of this situation? Thanks in advance. real_escape_string needs a connection so it knows what encoding and charset the database supports. No way around it sorry :) -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Using mysql_real_escape_string without connecting to mysql
I have a file of my own functions that I include in many places. One of them uses mysql_real_escape_string, however, it may be called in a context that will or will not connect to a mysql server, and worse, may already be connected. So I must avoid connecting. However, when I run the script without connecting I get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user: '[EMAIL PROTECTED]' (Using password: NO) I was thinking about checking if there is a connection, and if not then connecting. This seems redundant to me, however. What is the list's opinion of this situation? Thanks in advance. Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
