Re: [PHP] escape your variables
2009/4/21 Chris dmag...@gmail.com: How does one deal with that? Do you use mysql_real_escape_string? e.g. ?php $db_host = 'localhost'; $db_user = 'auser'; $db_pwd = 'apassword'; $database = 'adatabase'; $table = 'authorBook'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die(Can't connect to database); if (!mysql_select_db($database)) die(Can't select database); // sending query $result = mysql_query(SELECT * FROM {$table}); Inputs are user supplied. Are you saying that I don't need to sanitize the variables above - $db_host, $db_user, $db_pwd, $database, $table ? No - they are essentially hardcoded. A user (through a form or any other method) cannot change which db you are talking to. They cannot change the hostname either. If a variable comes from: - a post variable - a get variable - a session variable - a cookie - an environment variable then it will need to be escaped sanitized. If you are putting the variable at the top of the script and there's no way for a user to change it, then no need to sanitize. I would love to see an example somewhere that shows an unsanitized variable and the same variable sanitized. Sanitizing depends on what you need. An age field doesn't need anything except a number. A name field should accept everything except html tags. They are going to be sanitized differently. $name = $_POST['name']; -- unsanitized $name = strip_tags($name); -- sanitized. Sorry to disturb, but you should never assume a string is sanitized when you've applied the function strip_tags. That function *only* removes complete HTML-Markup. It *ignores* invalid HTML, unlike 99% of the browsers do. So, a site using strip_tags only to sanatize user_input is vulnerable to XSS! The second thing I'd like to mention is that you're mixing DB-escaping and output escaping for the browser, but both require different escaping. A name field should accept everything except html tags. What the hell? Don't believe charsets only include [-a-Z0-9']. You might want to remove conrol characters as well as some other, printable characters. Or have you ever known a person called * 1234? * )(/)(%(%)()($#432+4 * ' OR 1=1/* * and so on. Greetings = Better: myql_query(INSERT INTO foo (`name`) VALUES ('. mysql_real_escape_string($name, $link) .')); This is better because we escape it in the sql statement itself. $name remains unchanged in case we want to use it later. Best: Use prepared statements! = What is meant by prepared stetements? Does that mean not using variables? It's a different way of putting the query together. Data can only mean one thing - data. There's no escaping, the db will always know what it's going to do. http://www.php.net/manual/en/pdo.prepare.php -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
Bastien Koert wrote: On Wed, Feb 18, 2009 at 8:34 AM, PJ af.gour...@videotron.ca wrote: To focus on mysql_real_escape_string, I am recapping... questions below QUOTE:== Instead of doing this (for an imaginary table): $sql = insert into table1(field1, field2) values ('$value1', '$value2'); do $sql = insert into table1(field1, field2) values (' . mysql_real_escape_string($value1) . ', ' . mysql_real_escape_string($value2) . '); Now $value1 and $value2 can only be used as data, they can't be used against you. If you don't do that, try adding a last name of O'Reilly - your code will break because of the ' in the name. When you say escape all your inputs - just what do you mean? Does that mean I need some special routines that have to be repeated over and over every time there is an input... but what do you mean by an input? And, from looking at all the comments in the manual, it's not clear just where to stop... input means anything a user gives you. Whether it's a first name, last name, a comment in a blog, a website url - anything you get from a user must be escaped. END QUOTE === So, I am more confused than ever... TWO QUESTIONS: 1. It seems to me that submitting username, password and database_name is pretty dangerous. How does one deal with that? Do you use mysql_real_escape_string? e.g. ?php $db_host = 'localhost'; $db_user = 'auser'; $db_pwd = 'apassword'; $database = 'adatabase'; $table = 'authorBook'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die(Can't connect to database); if (!mysql_select_db($database)) die(Can't select database); // sending query $result = mysql_query(SELECT * FROM {$table}); Inputs are user supplied. Are you saying that I don't need to sanitize the variables above - $db_host, $db_user, $db_pwd, $database, $table ? If they whould be sanitized, just when should that be done? Whlen the variable is declared? or in the if stetements above and the $result ? I would love to see an example somewhere that shows an unsanitized variable and the same variable sanitized. Variables coming from inside the application code are not really inputs. I prefer a two step approach to ensure that I am (hopefully) free from potential problems. 1. Use filtering like regex and length checks When and specifically on what? [ http://ca2.php.net/manual/en/function.ereg.php] 2. Use mysql_real_escape_string in the query wherever the data is potentially harmful. 2. How do you use mysql_real_escape_string on a string entered in a form page with input and $_POST where the inputs are strings like $titleIN, $authorINetc.? ?php $error = ''; $title = ''; $authorIN=''; //initialize vars $title = (eregi(^[a-z0-9\.\s]+$,$_POST['title'])) ? $_POST['title'] : $error .= invalid title; $authorIN = (eregi(^[a-z\.\s]+$,$_POST['author'])) ? $_POST['author'] : $error .= invalid author; $sql = insert into table (title, author) values (' . mysql_real_escape_string($title) . ',' . mysql_real_escape_string($authorIN) . '); //rest of code ? -- Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I quote from earlier in the post: = Better: myql_query(INSERT INTO foo (`name`) VALUES ('. mysql_real_escape_string($name, $link) .')); This is better because we escape it in the sql statement itself. $name remains unchanged in case we want to use it later. Best: Use prepared statements! = What is meant by prepared stetements? Does that mean not using variables? Another quote: Better: echo htmlspecialchars($name, ENT_QUOTES, 'UTF-8'); This is better because we don't trust the data at all. You don't know what it contains. People find all sorts of interesting ways of getting weird characters into the apps I write, so just cover all bases. Another way: Create a pre-escaped version of the content in the db. Keep the original value so that the user can edit it, but also create a 'clean' version that you can just echo out. Just make sure you don't mess up. === I'd like to be able to understand just what is meant by creating a pre-escaped version of the content in the db - I'd like to see an example. And what would the 'clean' version be, where would you put it or where is it supposed to be placed? -- unheralded genius: A clean desk is the sign of a dull mind. - Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com/andypantry.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
How does one deal with that? Do you use mysql_real_escape_string? e.g. ?php $db_host = 'localhost'; $db_user = 'auser'; $db_pwd = 'apassword'; $database = 'adatabase'; $table = 'authorBook'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die(Can't connect to database); if (!mysql_select_db($database)) die(Can't select database); // sending query $result = mysql_query(SELECT * FROM {$table}); Inputs are user supplied. Are you saying that I don't need to sanitize the variables above - $db_host, $db_user, $db_pwd, $database, $table ? No - they are essentially hardcoded. A user (through a form or any other method) cannot change which db you are talking to. They cannot change the hostname either. If a variable comes from: - a post variable - a get variable - a session variable - a cookie - an environment variable then it will need to be escaped sanitized. If you are putting the variable at the top of the script and there's no way for a user to change it, then no need to sanitize. I would love to see an example somewhere that shows an unsanitized variable and the same variable sanitized. Sanitizing depends on what you need. An age field doesn't need anything except a number. A name field should accept everything except html tags. They are going to be sanitized differently. $name = $_POST['name']; -- unsanitized $name = strip_tags($name); -- sanitized. = Better: myql_query(INSERT INTO foo (`name`) VALUES ('. mysql_real_escape_string($name, $link) .')); This is better because we escape it in the sql statement itself. $name remains unchanged in case we want to use it later. Best: Use prepared statements! = What is meant by prepared stetements? Does that mean not using variables? It's a different way of putting the query together. Data can only mean one thing - data. There's no escaping, the db will always know what it's going to do. http://www.php.net/manual/en/pdo.prepare.php -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
Sorry, but I have been waylaid by other posts... :'( and have not had the opportunity to finish my quest and I posted to mysql but they are not very helpful I see I was not very clear below and will annotate below. But the problem is still there, I cannot figure out how to sanitize with mysql_real_escape_string(). I have tried to use it but cannot figure out where it should go... according to the php manual, but I see tat I have to have an active db connection; so how do I sanitize when this is a file for connecting and in an include file? Here is an include file that connects to the database: ? // db1.php // SQL login parameters for local environment $local_dbhost = localhost;// normally localhost $local_dbuser = root;// your local database user name $local_dbpass = gu...@#$;// your local database password $local_dbname = biblane;// your local database name // SQL remote parameters for remote environment (ex: nomonthlyfees) $remote_dbhost= localhost;// normally localhost $remote_dbuser = root;// your remote database user name $remote_dbpass = gu...@#$;// your remote database password $remote_dbname = biblane;// your remote database name // Local server address $LOCAL_SERVER = 127.0.0.1; // CONNECT to DATABASE if ($_SERVER[REMOTE_ADDR] == $LOCAL_SERVER) { $dbhost = $local_dbhost; $dbuser = $local_dbuser; $dbpass = $local_dbpass; $dbname = $local_dbname; } else { $dbhost = $remote_dbhost; $dbuser = $remote_dbuser; $dbpass = $remote_dbpass; $dbname = $remote_dbname; } $db = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname,$db); //echo $dbname; //echo br; //echo $dbhost; //echo $dbuser; //echo $dbpass; if (!$db) { echo( PUnable to connect to the . database server at this time./P ); exit(); } // Select the database if (! mysql_select_db(biblane) ) { echo( PUnable to locate the biblane . database at this time./P ); exit(); } ? Eric Butera wrote: On Wed, Feb 18, 2009 at 8:34 AM, PJ af.gour...@videotron.ca wrote: To focus on mysql_real_escape_string, I am recapping... questions below QUOTE:== Instead of doing this (for an imaginary table): $sql = insert into table1(field1, field2) values ('$value1', '$value2'); do $sql = insert into table1(field1, field2) values (' . mysql_real_escape_string($value1) . ', ' . mysql_real_escape_string($value2) . '); Now $value1 and $value2 can only be used as data, they can't be used against you. If you don't do that, try adding a last name of O'Reilly - your code will break because of the ' in the name. When you say escape all your inputs - just what do you mean? Does that mean I need some special routines that have to be repeated over and over every time there is an input... but what do you mean by an input? And, from looking at all the comments in the manual, it's not clear just where to stop... input means anything a user gives you. Whether it's a first name, last name, a comment in a blog, a website url - anything you get from a user must be escaped. END QUOTE === So, I am more confused than ever... TWO QUESTIONS: 1. It seems to me that submitting username, password and database_name is pretty dangerous. How does one deal with that? Do you use mysql_real_escape_string? e.g. ?php $db_host = 'localhost'; $db_user = ''; $db_pwd = 'xx'; $database = 'join_tutorial'; $table = 'authorBook'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die(Can't connect to database); if (!mysql_select_db($database)) die(Can't select database); // sending query $result = mysql_query(SELECT * FROM {$table}); No one seems to have resonded to the above question - how to sanitize this when there is no connection? Same idea as the upper include file... 2. How do you use mysql_real_escape_string on a string entered in a form page with input and $_POST where the inputs are strings like $titleIN, $authorINetc.? -- Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Escaping means making sure your data remains data in the context of using it. If you don't escape your data correctly depending on the context, then user input can break your applications. Also if your site is worthy of it, perhaps even a malicious user might try something, but usually what ends up happening is O'Henry gets a white page. Why? Well most code I come across has that horrid or die() following the query. Keep in mind that you want to escape your variable when you're using it only. You do not want to escape the actual variable itself, but a copy of it. This is why magic quotes is such a bad idea. It taints your actual data with slashes. There's more to it than just that, but you can research it on your own. So
Re: [PHP] escape your variables
On Wed, Mar 4, 2009 at 8:04 PM, PJ af.gour...@videotron.ca wrote some stuff... You should do a little reading on some of the keywords that have been presented. Specifically you don't sanitize a value into your db. You escape it. Prepared statements are a way of doing this that makes it a bit harder to mess up. You have to have a connection to the server to properly escape your value because databases can have lots of different character encodings. Just blindly assuming latin1 is wrong. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
PJ wrote: Sorry, but I have been waylaid by other posts... :'( and have not had the opportunity to finish my quest and I posted to mysql but they are not very helpful I see I was not very clear below and will annotate below. But the problem is still there, I cannot figure out how to sanitize with mysql_real_escape_string(). I have tried to use it but cannot figure out where it should go... according to the php manual, but I see tat I have to have an active db connection; so how do I sanitize when this is a file for connecting and in an include file? Here is an include file that connects to the database: ? // db1.php // SQL login parameters for local environment $local_dbhost = localhost;// normally localhost $local_dbuser = root;// your local database user name $local_dbpass = gu...@#$;// your local database password $local_dbname = biblane;// your local database name // SQL remote parameters for remote environment (ex: nomonthlyfees) $remote_dbhost= localhost;// normally localhost $remote_dbuser = root;// your remote database user name $remote_dbpass = gu...@#$;// your remote database password $remote_dbname = biblane;// your remote database name // Local server address $LOCAL_SERVER = 127.0.0.1; // CONNECT to DATABASE if ($_SERVER[REMOTE_ADDR] == $LOCAL_SERVER) { $dbhost = $local_dbhost; $dbuser = $local_dbuser; $dbpass = $local_dbpass; $dbname = $local_dbname; } else { $dbhost = $remote_dbhost; $dbuser = $remote_dbuser; $dbpass = $remote_dbpass; $dbname = $remote_dbname; } $db = mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname,$db); //echo $dbname; //echo br; //echo $dbhost; //echo $dbuser; //echo $dbpass; if (!$db) { echo( PUnable to connect to the . database server at this time./P ); exit(); } // Select the database if (! mysql_select_db(biblane) ) { echo( PUnable to locate the biblane . database at this time./P ); exit(); } ? Eric Butera wrote: On Wed, Feb 18, 2009 at 8:34 AM, PJ af.gour...@videotron.ca wrote: To focus on mysql_real_escape_string, I am recapping... questions below QUOTE:== Instead of doing this (for an imaginary table): $sql = insert into table1(field1, field2) values ('$value1', '$value2'); do $sql = insert into table1(field1, field2) values (' . mysql_real_escape_string($value1) . ', ' . mysql_real_escape_string($value2) . '); Now $value1 and $value2 can only be used as data, they can't be used against you. If you don't do that, try adding a last name of O'Reilly - your code will break because of the ' in the name. When you say escape all your inputs - just what do you mean? Does that mean I need some special routines that have to be repeated over and over every time there is an input... but what do you mean by an input? And, from looking at all the comments in the manual, it's not clear just where to stop... input means anything a user gives you. Whether it's a first name, last name, a comment in a blog, a website url - anything you get from a user must be escaped. END QUOTE === So, I am more confused than ever... TWO QUESTIONS: 1. It seems to me that submitting username, password and database_name is pretty dangerous. How does one deal with that? Do you use mysql_real_escape_string? e.g. ?php $db_host = 'localhost'; $db_user = ''; $db_pwd = 'xx'; $database = 'join_tutorial'; $table = 'authorBook'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die(Can't connect to database); if (!mysql_select_db($database)) die(Can't select database); // sending query $result = mysql_query(SELECT * FROM {$table}); No one seems to have resonded to the above question - how to sanitize this when there is no connection? Same idea as the upper include file... Problem: if there's no connection, how can you fetch anything from a table? Using a variable is fine for a table name. You only need to escape data coming from a user going in to your database. example: insert into address_book (first_name, last_name) values ($_POST['first_name'], $_POST['last_name']); first_name and last_name come from a form of some sorts - it's user input. It needs to be escaped. $query = insert into table(field1, field2) values (' . mysql_real_escape_string($_POST['first_name']) . ', ' . mysql_real_escape_string($_POST['last_name']) . '); 'first_name' and 'last_name' are the names of your input fields on your form. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
Eric Butera wrote: So here's some examples of bad behavior. = Database = Bad: $name = mysql_real_escape_string($_POST['name'], $link); myql_query(INSERT INTO foo (`name`) VALUES ('. $name .')); $name now contains slashes which means it is corrupt and not able to be echo'd without a stripslashes. You should never have to call stripslashes. If you do, you're doing it wrong. No, you are not doing it wrong. You are just doing it a different way. It's a lot easier to audit your code if you clean the input when you eat the POST. You should never echo a variable you haven't cleaned anyway because of reflection attacks. Clean it at input and you when auditing you code, you look for _POST and make sure you set the variable you use to the output of running the _POST through your filter. As far as having Bill O\'Really in your output, that doesn't happen if you get your output from the database that Bill O'Really was inserted into, as the escape has already served its purpose. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
On Wed, Mar 4, 2009 at 8:18 PM, Chris dmag...@gmail.com wrote: You only need to escape data coming from a user going in to your database. If you put user input into your database and pull it back out, it's still raw user input. Never trust any piece of data ever, whether it comes from a superglobal OR within your app itself. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
On Wed, Mar 4, 2009 at 8:54 PM, Michael A. Peters mpet...@mac.com wrote: Eric Butera wrote: So here's some examples of bad behavior. = Database = Bad: $name = mysql_real_escape_string($_POST['name'], $link); myql_query(INSERT INTO foo (`name`) VALUES ('. $name .')); $name now contains slashes which means it is corrupt and not able to be echo'd without a stripslashes. You should never have to call stripslashes. If you do, you're doing it wrong. No, you are not doing it wrong. You are just doing it a different way. It's a lot easier to audit your code if you clean the input when you eat the POST. You should never echo a variable you haven't cleaned anyway because of reflection attacks. Clean it at input and you when auditing you code, you look for _POST and make sure you set the variable you use to the output of running the _POST through your filter. As far as having Bill O\'Really in your output, that doesn't happen if you get your output from the database that Bill O'Really was inserted into, as the escape has already served its purpose. Good luck with that. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
On Wed, Mar 4, 2009 at 6:27 PM, Eric Butera eric.but...@gmail.com wrote: On Wed, Mar 4, 2009 at 8:54 PM, Michael A. Peters mpet...@mac.com wrote: Eric Butera wrote: So here's some examples of bad behavior. = Database = Bad: $name = mysql_real_escape_string($_POST['name'], $link); myql_query(INSERT INTO foo (`name`) VALUES ('. $name .')); $name now contains slashes which means it is corrupt and not able to be echo'd without a stripslashes. You should never have to call stripslashes. If you do, you're doing it wrong. No, you are not doing it wrong. You are just doing it a different way. It's a lot easier to audit your code if you clean the input when you eat the POST. You should never echo a variable you haven't cleaned anyway because of reflection attacks. Clean it at input and you when auditing you code, you look for _POST and make sure you set the variable you use to the output of running the _POST through your filter. As far as having Bill O\'Really in your output, that doesn't happen if you get your output from the database that Bill O'Really was inserted into, as the escape has already served its purpose. Good luck with that. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Is it really THAT hard to take the extra step, ensure proper application security and filter both ways? I didn't think so. Kyle Terry | www.kyleterry.com Help kick start VOOM (Very Open Object Model) for a library of PHP classes. http://www.voom.me | IRC EFNet #voom
Re: [PHP] escape your variables
Eric Butera wrote: On Wed, Mar 4, 2009 at 8:18 PM, Chris dmag...@gmail.com wrote: You only need to escape data coming from a user going in to your database. If you put user input into your database and pull it back out, it's still raw user input. Never trust any piece of data ever, whether it comes from a superglobal OR within your app itself. Isn't that what I said? -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
On Wed, Mar 4, 2009 at 6:55 PM, Chris dmag...@gmail.com wrote: Eric Butera wrote: On Wed, Mar 4, 2009 at 8:18 PM, Chris dmag...@gmail.com wrote: You only need to escape data coming from a user going in to your database. If you put user input into your database and pull it back out, it's still raw user input. Never trust any piece of data ever, whether it comes from a superglobal OR within your app itself. Isn't that what I said? -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Actually no; you said You only need to escape data coming from a user going in to your database.
Re: [PHP] escape your variables
Kyle Terry wrote: On Wed, Mar 4, 2009 at 6:55 PM, Chris dmag...@gmail.com wrote: Eric Butera wrote: On Wed, Mar 4, 2009 at 8:18 PM, Chris dmag...@gmail.com wrote: You only need to escape data coming from a user going in to your database. If you put user input into your database and pull it back out, it's still raw user input. Never trust any piece of data ever, whether it comes from a superglobal OR within your app itself. Isn't that what I said? -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Actually no; you said You only need to escape data coming from a user going in to your database. mysql_real_escape_string is only needed to prevent sql issues going in. Of course your filter needs to check for other things before you put it in, but not because of the integrity of the sql statement. Once it is in the database, the mysql_real_escape_string has served it's purpose - it's in the database. mysql select name from foo; +---+ | name | +---+ | Bill O'Really | +---+ The \ is no longer there. You don't need stripslashes or anything else to use it in output. If you are going to use it for additional queries then you need to escape it again for the integrity of the query, but in most cases it is better to query based upon a unique ID integer associated with the name (primary key) - unless you are looking for multiple records with same name field, in which case you probably are dealing with a user input request that you have escaped when you ate the _POST variable. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
Actually no; you said You only need to escape data coming from a user going in to your database. Using a known variable in my app is not going to cause an sql injection problem. switch ($value) { case 'x': $my_field = 1; break; default: $my_field = 0; } an insert here with no escaping on $my_field will never cause sql injection. -- Postgresql php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] escape your variables
On Wed, Feb 18, 2009 at 8:34 AM, PJ af.gour...@videotron.ca wrote: To focus on mysql_real_escape_string, I am recapping... questions below QUOTE:== Instead of doing this (for an imaginary table): $sql = insert into table1(field1, field2) values ('$value1', '$value2'); do $sql = insert into table1(field1, field2) values (' . mysql_real_escape_string($value1) . ', ' . mysql_real_escape_string($value2) . '); Now $value1 and $value2 can only be used as data, they can't be used against you. If you don't do that, try adding a last name of O'Reilly - your code will break because of the ' in the name. When you say escape all your inputs - just what do you mean? Does that mean I need some special routines that have to be repeated over and over every time there is an input... but what do you mean by an input? And, from looking at all the comments in the manual, it's not clear just where to stop... input means anything a user gives you. Whether it's a first name, last name, a comment in a blog, a website url - anything you get from a user must be escaped. END QUOTE === So, I am more confused than ever... TWO QUESTIONS: 1. It seems to me that submitting username, password and database_name is pretty dangerous. How does one deal with that? Do you use mysql_real_escape_string? e.g. ?php $db_host = 'localhost'; $db_user = 'root'; $db_pwd = 'gu...@#$'; $database = 'join_tutorial'; $table = 'authorBook'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die(Can't connect to database); if (!mysql_select_db($database)) die(Can't select database); // sending query $result = mysql_query(SELECT * FROM {$table}); Inputs are user supplied. Variables coming from inside the application code are not really inputs. I prefer a two step approach to ensure that I am (hopefully) free from potential problems. 1. Use filtering like regex and length checks [ http://ca2.php.net/manual/en/function.ereg.php] 2. Use mysql_real_escape_string in the query whereever the data is potentially harmful. 2. How do you use mysql_real_escape_string on a string entered in a form page with input and $_POST where the inputs are strings like $titleIN, $authorINetc.? ?php $error = ''; $title = ''; $authorIN=''; //initialize vars $title = (eregi(^[a-z0-9\.\s]+$,$_POST['title'])) ? $_POST['title'] : $error .= invalid title; $authorIN = (eregi(^[a-z\.\s]+$,$_POST['author'])) ? $_POST['author'] : $error .= invalid author; $sql = insert into table (title, author) values (' . mysql_real_escape_string($title) . ',' . mysql_real_escape_string($authorIN) . '); //rest of code ? -- Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Bastien Cat, the other other white meat
Re: [PHP] escape your variables
On Wed, Feb 18, 2009 at 8:34 AM, PJ af.gour...@videotron.ca wrote: To focus on mysql_real_escape_string, I am recapping... questions below QUOTE:== Instead of doing this (for an imaginary table): $sql = insert into table1(field1, field2) values ('$value1', '$value2'); do $sql = insert into table1(field1, field2) values (' . mysql_real_escape_string($value1) . ', ' . mysql_real_escape_string($value2) . '); Now $value1 and $value2 can only be used as data, they can't be used against you. If you don't do that, try adding a last name of O'Reilly - your code will break because of the ' in the name. When you say escape all your inputs - just what do you mean? Does that mean I need some special routines that have to be repeated over and over every time there is an input... but what do you mean by an input? And, from looking at all the comments in the manual, it's not clear just where to stop... input means anything a user gives you. Whether it's a first name, last name, a comment in a blog, a website url - anything you get from a user must be escaped. END QUOTE === So, I am more confused than ever... TWO QUESTIONS: 1. It seems to me that submitting username, password and database_name is pretty dangerous. How does one deal with that? Do you use mysql_real_escape_string? e.g. ?php $db_host = 'localhost'; $db_user = 'root'; $db_pwd = 'gu...@#$'; $database = 'join_tutorial'; $table = 'authorBook'; if (!mysql_connect($db_host, $db_user, $db_pwd)) die(Can't connect to database); if (!mysql_select_db($database)) die(Can't select database); // sending query $result = mysql_query(SELECT * FROM {$table}); 2. How do you use mysql_real_escape_string on a string entered in a form page with input and $_POST where the inputs are strings like $titleIN, $authorINetc.? -- Phil Jourdan --- p...@ptahhotep.com http://www.ptahhotep.com http://www.chiccantine.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Escaping means making sure your data remains data in the context of using it. If you don't escape your data correctly depending on the context, then user input can break your applications. Also if your site is worthy of it, perhaps even a malicious user might try something, but usually what ends up happening is O'Henry gets a white page. Why? Well most code I come across has that horrid or die() following the query. Keep in mind that you want to escape your variable when you're using it only. You do not want to escape the actual variable itself, but a copy of it. This is why magic quotes is such a bad idea. It taints your actual data with slashes. There's more to it than just that, but you can research it on your own. So here's some examples of bad behavior. = Database = Bad: $name = mysql_real_escape_string($_POST['name'], $link); myql_query(INSERT INTO foo (`name`) VALUES ('. $name .')); $name now contains slashes which means it is corrupt and not able to be echo'd without a stripslashes. You should never have to call stripslashes. If you do, you're doing it wrong. Better: myql_query(INSERT INTO foo (`name`) VALUES ('. mysql_real_escape_string($name, $link) .')); This is better because we escape it in the sql statement itself. $name remains unchanged in case we want to use it later. Best: Use prepared statements! = Html = Bad: $name = htmlspecialchars($name, ENT_QUOTES, 'UTF-8'); echo $name; This is bad because $name is contaminated with html entities. What happens if you want to use it to send an email? What happens if you want to get a substring of it or parse out a few sentences for a little preview? Better: echo htmlspecialchars($name, ENT_QUOTES, 'UTF-8'); This is better because we don't trust the data at all. You don't know what it contains. People find all sorts of interesting ways of getting weird characters into the apps I write, so just cover all bases. Another way: Create a pre-escaped version of the content in the db. Keep the original value so that the user can edit it, but also create a 'clean' version that you can just echo out. Just make sure you don't mess up. :) Keep in mind a lot of this is my opinion of course. I think keeping your data as data is the correct method. If you forget to escape even once though you open yourself up for broken applications/attacks. You could take the other approach of just letting ext/filter pre escape everything, but then you've got to decode all of that data if you ever want to use it as plain text. So find the happy balance that fits your needs the best and go for it. The main thing is understanding the difference between what your data is and its escaped version. Once you know that you can do what you need. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php