Dotan Cohen schreef:
On 24/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
Is the -- here not treated as the beginning of an SQL comment?
No, because it is inside the apostrophes.
The purpose of mysql_real_escape_string (or using prepared
On 24/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
Which basically is the same as a simple mysql_real_escape_string? In
other words, mysql_real_escape_string itself is safe from SQL
injection?
not exactly - it assumes you will use the value as a quoted string in a query.
$s =
On Wed, January 23, 2008 11:28 pm, Dotan Cohen wrote:
In
other words, mysql_real_escape_string itself is safe from SQL
injection?
Yes.
That is the entire purpose of the existence of that function in the
first place.
--
Some people have a gift link here.
Know what I want?
I want you to buy a
On Thu, January 24, 2008 10:01 am, Dotan Cohen wrote:
On 24/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
Which basically is the same as a simple mysql_real_escape_string?
In
other words, mysql_real_escape_string itself is safe from SQL
injection?
not exactly - it assumes you will use
On 24/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT somewhere; But you
are escaping the output to MySQL so that it is not going
On Jan 24, 2008 1:03 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
On 24/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT somewhere;
On 24/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
That won't save you if you're echoing into a single quote attribute.
(ie: src='')
Even after I've stripped away the tags with strip_tags()?
Like htmlspecialchars(), the optional second quote_style parameter
lets you define what will be done
On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
On 24/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT somewhere; But you
are
Richard Lynch wrote:
On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
On 24/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT
On 25/01/2008, Jim Lucas [EMAIL PROTECTED] wrote:
That should be considered part of the DRY method. But spanning page
requests.
I cannot see any reason why you shouldn't be doing this before you
insert this information into your DB. Doing it once on your insert,
instead of every single
Dotan Cohen schreef:
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
The file defines some of my own functions, like these:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_replace
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
you don't understand what I mean.
input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated data
for each
Try using the mysql_ping() command to check to see if your connection
is available:
http://us2.php.net/manual/en/function.mysql-ping.php
something like:
?php
if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get
connected, it will display a warning - suppress so users
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
The file defines some of my own functions, like these:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
On 23/01/2008, James Ausmus [EMAIL PROTECTED] wrote:
Try using the mysql_ping() command to check to see if your connection
is available:
http://us2.php.net/manual/en/function.mysql-ping.php
something like:
?php
if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot get
On Jan 23, 2008 10:03 AM, Dotan Cohen [EMAIL PROTECTED] wrote:
On 23/01/2008, James Ausmus [EMAIL PROTECTED] wrote:
Try using the mysql_ping() command to check to see if your connection
is available:
http://us2.php.net/manual/en/function.mysql-ping.php
something like:
?php
if
On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected.
On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect
On Wed, January 23, 2008 11:47 am, Dotan Cohen wrote:
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
for each output (output to mysql, output to browser, etc)
Back to the original question...
I suppose you could use mysql_escape_string (note the lack of real)
in the short term...
It
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
Back to the original question...
I suppose you could use mysql_escape_string (note the lack of real)
in the short term...
I'd rather not. There is no short term.
It would be Real Nifty (tm) if the MySQL API had a function that let
you
On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote:
On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
However, I do not think that the script should throw an error until I
actually call mysql_clean. Merely having it in an
It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.
Presumably you don't NEED a connection if you already know what
charset thingie you are aiming at...
I concur - it would be nice to have the capability
On Jan 23, 2008 2:37 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
Back to the original question...
I suppose you could use mysql_escape_string (note the lack of real)
in the short term...
I'd rather not. There is no short term.
It
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
you don't understand what I mean.
input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote:
On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
On Jan 22, 2008 8:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
However, I do not think that the script should throw an error until I
On 23/01/2008, mike [EMAIL PROTECTED] wrote:
It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.
Presumably you don't NEED a connection if you already know what
charset thingie you are aiming at...
On 23/01/2008, Eric Butera [EMAIL PROTECTED] wrote:
There isn't a reason to go and report a bug as their stuff works fine.
I would have filed a wish, not a bug. They are both filed in the
bugzillas that I'm familiar with. In any case, I'm not filing as I've
no account there and I'll not be
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of html then it needs
Dotan Cohen wrote:
On 23/01/2008, mike [EMAIL PROTECTED] wrote:
It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.
Presumably you don't NEED a connection if you already know what
charset thingie you are aiming
Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a connection handle open just to escape
things.
If you need
Dotan Cohen wrote:
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of
On 23/01/2008, Chris [EMAIL PROTECTED] wrote:
I'm not accepting -- at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?
Depends on your app.
-- is an accepted things in emails as a marker for
On 23/01/2008, Jochem Maas [EMAIL PROTECTED] wrote:
Dotan Cohen schreef:
I'm not accepting -- at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?
I might just want to put '--' in a textfield used
On Jan 22, 2008 7:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected.
On 24/01/2008, Chuck [EMAIL PROTECTED] wrote:
Why not write a function that does the same thing?
mysql_real_escape_strings is a very simple function. And if your data
is properly normalized and you don't support other charsets its very
simple.
Maintenance and security seem to be two very
On 1/23/08, Chris [EMAIL PROTECTED] wrote:
If you need to escape something you're going to do a query aren't you?
Or am I missing something here?
true. but i typically have everything in wrapper functions, and i
don't keep the actual resource variable exposed to use it (since it
needs a
Chuck schreef:
On Jan 22, 2008 7:01 PM, Dotan Cohen [EMAIL PROTECTED] wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
Is the -- here not treated as the beginning of an SQL comment?
No, because it is inside the apostrophes.
The purpose of mysql_real_escape_string (or using prepared statements)
is to mark up (or separate) the DATA from the QUERY.
The data
On Wed, January 23, 2008 3:18 pm, Dotan Cohen wrote:
I think it was here on this list that we saw an example of SQL
injection despite the use of mysql_escape_string. Some funky Asian
charset was used, no?
I don't know that I'd call it funky, but yes.
Without the real MySQL does not know what
On Wed, January 23, 2008 3:30 pm, Chris wrote:
Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I
know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a
On 24/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
Is the -- here not treated as the beginning of an SQL comment?
No, because it is inside the apostrophes.
The purpose of mysql_real_escape_string (or using prepared statements)
is to
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected. So I must avoid connecting. However, when I
run the script
Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected. So I must avoid connecting. However, when I
On 23/01/2008, Chris [EMAIL PROTECTED] wrote:
Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be
On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected. So I
On 23/01/2008, Richard Lynch [EMAIL PROTECTED] wrote:
On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a
48 matches
Mail list logo