Re: [PHP] Filtering (was storing single and double quote in MySQL)
As you said: Filtering. My next queston. I have small form to activate/deactivate member's account. form method=post action=members.php input type=hidden name=username value=?= $Usename ? input type=hidden name=status value=?= $Status ? input type=image name=action value=change src=images/status_live.gif border=0 /form and once adminisrtrator clicks on button: if(isset($_POST['action'])) { $Username = $_POST['Username']; $action = ''; switch($action) { case 'change': mysql_query(UPDATE members SET status='live' WHERE Username = '.$Username.'); break; case 'edit': // ... break; } } Do I have to filter $Username with mysql_real_escape_string() function even if $Username will not be stored in DB and I use it in WHERE part? If no - how to filter it? Thanks -afan At 4:28 PM +0200 5/24/06, [EMAIL PROTECTED] wrote: after these very helpfull comments, I rad (again) Shiflett's (and few others) Security articles about filtering input and output. And more I read - less is clear :( and At 6:07 PM +0200 5/24/06, [EMAIL PROTECTED] wrote: Ok. Looks like I DID miss the point :) I thought that with mysql_real_escape_string() HAVE TO add slash in front of a quote and THAT's filtering. No, that's NOT filtering input, as per Shiflett's book. Filtering input is proving that the data coming is -- IS -- valid data! Take for example the code he shows on page 11 of his book (Essential PHP Security) where: ?php $clean = array(); switch($$_POST['color']) { case 'red': case 'green': case 'blue': $clean['color'} = $_POST['color']; break; } ? If you inspect this code, you will see that the array $clean will never have anything in it that's not 'red', 'green', or 'blue' -- that's filtering input as per Shiflett. And, that makes prefect sense to me. tedd PS: I changed the subject line because it's a different subject. :-) -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Filtering (was storing single and double quote in MySQL)
On 5/25/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: As you said: Filtering. My next queston. I have small form to activate/deactivate member's account. form method=post action=members.php input type=hidden name=username value=?= $Usename ? input type=hidden name=status value=?= $Status ? input type=image name=action value=change src=images/status_live.gif border=0 /form and once adminisrtrator clicks on button: if(isset($_POST['action'])) { $Username = $_POST['Username']; $action = ''; switch($action) { case 'change': mysql_query(UPDATE members SET status='live' WHERE Username = '.$Username.'); break; case 'edit': // ... break; } } Do I have to filter $Username with mysql_real_escape_string() function even if $Username will not be stored in DB and I use it in WHERE part? If no - how to filter it? Thanks -afan Yes, you're sending it into the DB which means it is a command that needs to be escaped. All MySQL commands need to be escaped. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Filtering (was storing single and double quote in MySQL)
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 25 May 2006 22:19 To: tedd Cc: Eric Butera; php Subject: Re: [PHP] Filtering (was storing single and double quote in MySQL) As you said: Filtering. My next queston. I have small form to activate/deactivate member's account. form method=post action=members.php input type=hidden name=username value=?= $Usename ? input type=hidden name=status value=?= $Status ? input type=image name=action value=change src=images/status_live.gif border=0 /form and once adminisrtrator clicks on button: if(isset($_POST['action'])) { $Username = $_POST['Username']; $action = ''; switch($action) { case 'change': mysql_query(UPDATE members SET status='live' WHERE Username = '.$Username.'); break; case 'edit': // ... break; } } Do I have to filter $Username with mysql_real_escape_string() function even if $Username will not be stored in DB and I use it in WHERE part? If no - how to filter it? Thanks -afan Always sanitise data provided externally; whether it's from the user directly (e.g. a POST form or a URL query string (GET)) or from the browser (e.g. cookie data)... always assume it can never be trusted (there are some nasty people out there) In this case using mysql_real_escape_string() on the supplied username should be enough for most injection attacks ( http://www.google.co.uk/search?hl=enq=sql+injectionmeta= ), but to be more sure try this (if your username is alphanumeric only with spaces): if(isset($_POST['action'])) { $Username = preg_replace('/[^a-zA-Z0-9]+/', '', $_POST['Username']); $action = ''; switch($action) { case 'change': if (!empty($Username)) mysql_query(UPDATE members SET status='live' WHERE Username = '.$Username.'); break; case 'edit': // ... break; } } I think that's right :) Dan -- http://chrome.me.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Filtering (was storing single and double quote in MySQL)
At 11:19 PM +0200 5/25/06, [EMAIL PROTECTED] wrote: As you said: Filtering. My next queston. I have small form to activate/deactivate member's account. form method=post action=members.php input type=hidden name=username value=?= $Usename ? input type=hidden name=status value=?= $Status ? input type=image name=action value=change src=images/status_live.gif border=0 /form and once adminisrtrator clicks on button: if(isset($_POST['action'])) { $Username = $_POST['Username']; $action = ''; = ERROR switch($action) { case 'change': mysql_query(UPDATE members SET status='live' WHERE Username = '.$Username.'); break; case 'edit': // ... break; } } Do I have to filter $Username with mysql_real_escape_string() function even if $Username will not be stored in DB and I use it in WHERE part? If no - how to filter it? Thanks -afan -afan: Two things: 1. Anytime you put anything into a dB then use mysql_real_escape_string() function. If you are NOT going to put it in a dB, then you don't need mysql_real_escape_string() function -- understand? 2. Filtering is like the example I gave you before. You take something that comes in from a POST and then compare that with what you expect. As with your example above -- what do you want $_POST('action) to contain? (Please note the ERROR -- your code would never get into the switch). If you want $_POST('action) contain 'change' or 'edit' or whatever, then test for that in the switch. It's the same as the example I gave you. At some point here, you're going to have to start thinking about what you're doing. tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Filtering (was storing single and double quote in MySQL)
[snip] 1. Anytime you put anything into a dB then use mysql_real_escape_string() function. If you are NOT going to put it in a dB, then you don't need mysql_real_escape_string() function -- understand? [/snip] Untrue... It isn't just inserting into a DB that requires this function... Consider: User enters: anything'; DROP TABLE x; SELECT 'a' = 'a into the form for username... Now your unescaped SQL statement reads: UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x; SELECT 'a' = 'a' Where x can be a brute-forced table name... I can't remember if MySQL allows multiple statements but I seem to remember hearing that MySQL5 does... If I'm wrong correct me and tell me to RTFM :) Nice catch on the error... I didn't notice that :) HTH (and that I'm right :) ) Dan -- http://chrome.me.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Filtering (was storing single and double quote in MySQL)
At 11:51 PM +0100 5/25/06, Chrome wrote: [snip] 1. Anytime you put anything into a dB then use mysql_real_escape_string() function. If you are NOT going to put it in a dB, then you don't need mysql_real_escape_string() function -- understand? [/snip] Untrue... It isn't just inserting into a DB that requires this function... Consider: User enters: anything'; DROP TABLE x; SELECT 'a' = 'a into the form for username... Now your unescaped SQL statement reads: UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x; SELECT 'a' = 'a' Where x can be a brute-forced table name... I can't remember if MySQL allows multiple statements but I seem to remember hearing that MySQL5 does... If I'm wrong correct me and tell me to RTFM :) Nice catch on the error... I didn't notice that :) HTH (and that I'm right :) ) Dan Dan: A couple of things: One, I'm not sure if afan understands multiple statements, so I didn't want to confuse him; Two, I don't use multiple statements because they confuse me. I'm much more of a step-by-step programmer. I find that sometimes it's best to provide something simple for someone to learn rather than confuse them with remote possibilities. I taught at college level and believe me when I say there is nothing dumber than a student. Baby steps are best -- and the same for me when I'm learning as well. In the exchange I had with afan, we were talking about placing data into a dB without the need for escapes and I think the advice I gave him was correct. I realize that there are exceptions to just about anything IF you dig deep enough. For example did you know that if magic_quotes are turned ON and you use escape_data() that function will use mysql_real_escape_string(). So, here's an example that proves your point, but if I was to inform afan of that, what good would it do? Knowing that hasn't done anything for me. In any event, your point is well taken -- thanks for the clarification. tedd -- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Filtering (was storing single and double quote in MySQL)
-Original Message- From: tedd [mailto:[EMAIL PROTECTED] Sent: 26 May 2006 02:27 To: Chrome; 'tedd'; [EMAIL PROTECTED] Cc: 'Eric Butera'; 'php' Subject: RE: [PHP] Filtering (was storing single and double quote in MySQL) At 11:51 PM +0100 5/25/06, Chrome wrote: [snip] 1. Anytime you put anything into a dB then use mysql_real_escape_string() function. If you are NOT going to put it in a dB, then you don't need mysql_real_escape_string() function -- understand? [/snip] Untrue... It isn't just inserting into a DB that requires this function... Consider: User enters: anything'; DROP TABLE x; SELECT 'a' = 'a into the form for username... Now your unescaped SQL statement reads: UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x; SELECT 'a' = 'a' Where x can be a brute-forced table name... I can't remember if MySQL allows multiple statements but I seem to remember hearing that MySQL5 does... If I'm wrong correct me and tell me to RTFM :) Nice catch on the error... I didn't notice that :) HTH (and that I'm right :) ) Dan Dan: A couple of things: One, I'm not sure if afan understands multiple statements, so I didn't want to confuse him; Two, I don't use multiple statements because they confuse me. I'm much more of a step-by-step programmer. I don't use them either; hence my uncertainty :) I find that sometimes it's best to provide something simple for someone to learn rather than confuse them with remote possibilities. I taught at college level and believe me when I say there is nothing dumber than a student. Baby steps are best -- and the same for me when I'm learning as well. I'm still learning... very much so... which is why all my advice is subject to correction by a higher mortal... step forward, you know who you are :) In the exchange I had with afan, we were talking about placing data into a dB without the need for escapes and I think the advice I gave him was correct. Never doubted that :)... I have seen much of your advice I realize that there are exceptions to just about anything IF you dig deep enough. For example did you know that if magic_quotes are turned ON and you use escape_data() that function will use mysql_real_escape_string(). So, here's an example that proves your point, but if I was to inform afan of that, what good would it do? Knowing that hasn't done anything for me. I only sought to provide knowledge... knowing the pitfalls regardless of how bad the advice is set out/worded surely must be good Security should be foremost and ignorance no excuse... That's not to say anyone can't make a mistake :) In any event, your point is well taken -- thanks for the clarification. tedd -- -- -- http://sperling.com http://ancientstones.com http://earthstones.com __ NOD32 1.1559 (20060525) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com Dan -- http://chrome.me.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Filtering (was storing single and double quote in MySQL)
tedd wrote: At 11:51 PM +0100 5/25/06, Chrome wrote: [snip] 1. Anytime you put anything into a dB then use mysql_real_escape_string() function. If you are NOT going to put it in a dB, then you don't need mysql_real_escape_string() function -- understand? [/snip] Untrue... It isn't just inserting into a DB that requires this function... Consider: User enters: anything'; DROP TABLE x; SELECT 'a' = 'a into the form for username... Now your unescaped SQL statement reads: UPDATE members SET status='live' WHERE Username = 'anything'; DROP TABLE x; SELECT 'a' = 'a' Where x can be a brute-forced table name... I can't remember if MySQL allows multiple statements but I seem to remember hearing that MySQL5 does... If I'm wrong correct me and tell me to RTFM :) Nice catch on the error... I didn't notice that :) HTH (and that I'm right :) ) Dan Dan: A couple of things: One, I'm not sure if afan understands multiple statements, so I didn't want to confuse him; Two, I don't use multiple statements because they confuse me. I'm much more of a step-by-step programmer. Dan was giving you an example of a really bad sql injection attack where instead of one query: select * from members where email='email_address'; you end up with three: select * from members where email='anything'; DROP TABLE x; SELECT 'a' = 'a'; The point being never trust user data - always escape it whether you're inserting, updating, deleting or selecting. Using mysql_real_escape_string or your db's equivalent means it becomes only one query (which won't return any results, but stops your data from being destroyed). Multiple statements means running multiple queries within the same function call: so mysql_query(select * from members where email='anything'; DROP TABLE x; SELECT 'a' = 'a';); is actually 3 sql statements (select, drop table, select), but only one call to mysql_query. Whether mysql_query allows this to happen is another thing and one left to the readers to check. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php