A side note here about mysql_real_escape_string - curious if anyone is
an expert on this... In that last year, I switched over from using
addslashes to using mysql_real_escape_string to escape strings in sql
statements because it's the 'right thing to do.'
I'm currently reading "Building Scalable Web Sites" by Cal Henderson
(which I think is great so far for anyone making large [or potentially
large] web apps). In the section about avoiding sql injection attacks,
he says "the more complicated mysql_real_escape_string escapes a bunch
more characters but is ultimately unnecessary (although useful for
making logs easier to read)." I thought that was interesting -
"ultimately unnecessary."
Although I guess this argument will be moot as soon as people move to
php 5/mysql 5, as prepared statements seem to be the way to go there.
-Rob
csnyder wrote:
> On 10/30/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
>> [...]
>> //Add new customer to database
>> function AddNewCustomer($FirstName, $LastName, $Address,
>> $City, $State, $ZipCode,
>> $AreaCode, $Phone, $Email,
>> $WebsiteURL, $LoginName, $Password
>> )
>> {
>> $query = 'INSERT INTO Customer_Info (FirstNameCol,
>> LastNameCol, AddressCol, CityCol, StateCol,
>> ZipCodeCol, AreaCodeCol, PhoneCol,
>> EmailCol, WebsiteURLCol,
>> LoginNameCol, PasswordCol
>> )
>> VALUES ("'. $FirstName . '", "' . $LastName . '",
>> "' . $Address . '", "' . $City . '",
>> "' . $State . '", "' . $ZipCode . '",
>> "' . $AreaCode . '", "' . $Phone . '",
>> "' . $Email . '",
>> "' . $WebsiteURL . '", "' . $LoginName . '",
>> "' . SHA1($Password) . '")';
>> }
>>
>> Feel free to correct my code and give suggestions for better techniques.
>>
>>
>
> Hi Paul,
>
> You always need to escape each of the user submitted values in your
> SQL, in order to prevent breakage and security vulnerabilities. The
> mysql_real_escape_string() function is the recommended way to do this.
>
> function dbEsc( $value ) {
> return mysql_real_escape_string( $value );
> }
>
> function AddNewCustomer( $FirstName ) {
> $query = 'INSERT INTO Customer_Info ( FirstNameCol )
> VALUES ("'. dbEsc($FirstName) . '")';
> return mysql_query($query);
> }
>
> This is one of the two fundamental rules of secure web programming
> with php (the other being that you always escape output values using
> htmlentities()).
>
>
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
