Welcome to WebmasterWorld Guest from 54.162.203.39

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Sanitizing PHP theory

mysql escape string

     
1:02 pm on Oct 4, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 1, 2005
posts:370
votes: 0


The registration form I'm creating is almost done. Next I'm adding security to defend against a MySql injection attack.

I've read some about the function mysql_real_escape_string() What does that function do?
1:07 pm on Oct 4, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 15, 2004
posts:941
votes: 0


according to php.net:
Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

Also take note at the bottom notes:
If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.


More info: [php.net...]
8:06 pm on Oct 4, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Feb 22, 2009
posts:1396
votes: 0


hi there Adam5000,

Sanitising data from form submission isn't reliant just on the function that you quote, as all this does is just add slashes to quotes to make them sql safe, there are other methods available, and this is where you need to research at what you should allow/convert and/or make the exception for.

Strip_tags() is the most useful against removal of html tags, and trim() is useful for getting rid of whitespace - but as each project is different, you will need to assess and see what you need to use.

There are other functions, and for example checking validity of email, this function eleviates the use of preg_ functions (Credit to Readie for this too!):-

if(!filter_var($input, FILTER_VALIDATE_EMAIL)){
echo "Email address not valid format";
}
else{
echo "Email address valid format";
}

You get the Idea there...

Have fun finding new ways of protecting your hard work

Cheers,
MRb
9:52 pm on Oct 4, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 1, 2005
posts:370
votes: 0


omoutop: That's good information and gives me food for thought.

Matthew: I understand what you're saying. Sanitizing simply involves checking the user input to make sure it only contains the characters it's supposed to contain.

Or in other words sanitizing involves checking the user input to make sure it DOESN'T contain any characters (malicious or accidental) that foul up or manipulate the database.

That's a good idea.

When creating passwords for myself, for example the password for my hosting site, I've noticed that certain characters are not allowed. And now I know why.

I've got a plan and it seems pretty simple. And after I thought about it I found myself saying "This is too easy to work." I've got most of the code but there's one part I'm not quite sure about. New post coming up.
10:03 pm on Oct 4, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 1, 2005
posts:370
votes: 0


Sanitizing reminds me of a comedy scene I saw on television that I got a grin out of. I think it starred Don Knotts (Barney Fife) as a naive computer user. He accidentally entered a bad character and fouled everything up.
10:08 pm on Oct 4, 2010 (gmt 0)

Preferred Member

10+ Year Member

joined:Apr 1, 2005
posts:370
votes: 0


I'll call this part "The Barney Fife" code. Smile.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members