homepage Welcome to WebmasterWorld Guest from 54.197.215.146
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Sanitizing PHP theory
mysql escape string
Adam5000




msg:4211032
 1:02 pm on Oct 4, 2010 (gmt 0)

The registration form I'm creating is almost done. Next I'm adding security to defend against a MySql injection attack.

I've read some about the function mysql_real_escape_string() What does that function do?

 

omoutop




msg:4211033
 1:07 pm on Oct 4, 2010 (gmt 0)

according to php.net:
Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

Also take note at the bottom notes:
If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.


More info: [php.net...]

Matthew1980




msg:4211208
 8:06 pm on Oct 4, 2010 (gmt 0)

hi there Adam5000,

Sanitising data from form submission isn't reliant just on the function that you quote, as all this does is just add slashes to quotes to make them sql safe, there are other methods available, and this is where you need to research at what you should allow/convert and/or make the exception for.

Strip_tags() is the most useful against removal of html tags, and trim() is useful for getting rid of whitespace - but as each project is different, you will need to assess and see what you need to use.

There are other functions, and for example checking validity of email, this function eleviates the use of preg_ functions (Credit to Readie for this too!):-

if(!filter_var($input, FILTER_VALIDATE_EMAIL)){
echo "Email address not valid format";
}
else{
echo "Email address valid format";
}

You get the Idea there...

Have fun finding new ways of protecting your hard work

Cheers,
MRb

Adam5000




msg:4211258
 9:52 pm on Oct 4, 2010 (gmt 0)

omoutop: That's good information and gives me food for thought.

Matthew: I understand what you're saying. Sanitizing simply involves checking the user input to make sure it only contains the characters it's supposed to contain.

Or in other words sanitizing involves checking the user input to make sure it DOESN'T contain any characters (malicious or accidental) that foul up or manipulate the database.

That's a good idea.

When creating passwords for myself, for example the password for my hosting site, I've noticed that certain characters are not allowed. And now I know why.

I've got a plan and it seems pretty simple. And after I thought about it I found myself saying "This is too easy to work." I've got most of the code but there's one part I'm not quite sure about. New post coming up.

Adam5000




msg:4211265
 10:03 pm on Oct 4, 2010 (gmt 0)

Sanitizing reminds me of a comedy scene I saw on television that I got a grin out of. I think it starred Don Knotts (Barney Fife) as a naive computer user. He accidentally entered a bad character and fouled everything up.

Adam5000




msg:4211266
 10:08 pm on Oct 4, 2010 (gmt 0)

I'll call this part "The Barney Fife" code. Smile.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved