SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Guru coiL's Avatar
    Join Date
    Sep 2001
    Location
    QLD, Australia
    Posts
    666
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question A couple of security questions

    Hi,

    I was just doing some reading through threads about security issues and php. There were a few things that I would like clarified..

    "As a general rule, always escape any variable which will be used in a query, where the value of the variable was obtained from "outside" e.g. a form post or a cookie - you'll feel generally more relaxed if you do...." - Exactly how do you 'escape' a variable?

    Another post mentioned that you should not use quotes around any variables that have numeric values in a query. Does this mean I should be writing
    PHP Code:
    <?
    $number 
    3;
     
    $sql "select * from ages where age = $number ";
     
    // rather then
    $sql "select * from ages where age = '$number' ";
    ?>
    ?
    coiL
    "cradled in the learning curve"

  2. #2
    ********* Genius Mike's Avatar
    Join Date
    Apr 2001
    Location
    Canada
    Posts
    5,458
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    For your second question, yes, the first one

    For your first question... they probably meant to error check it. IF the variable should only be numeric, check that. If it should only be alphanumeric, check that. If it cant have any special characters, set that...etc...
    Mike
    It's not who I am underneath, but what I do that defines me.

  3. #3
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by coiL
    Exactly how do you 'escape' a variable?
    with addslashes() if magic_quotes_gpc is Off. otherwise it's already done and you don't need to do anything. of course i recommend my code in the coding tips thread to make sure magic_quotes_gpc is always "Off."

    see people, this is why magic_quotes_gpc should never have existed. it messes things up in so many cases when its purpose was to make things "easier." well, it'd be super easy if it didn't exist. you'd tell people one thing that would always work right with no if's and's or but's: use addslashes().

    that's not the case however. man i hate PHP sometimes. no other language i've ever heard of does things as stupid as register_globals and magic_quotes.



    Quote Originally Posted by coiL
    Another post mentioned that you should not use quotes around any variables that have numeric values in a query.
    i think that's my signature!

    if something is supposed to be numeric, there's no reason to use addslashes(), just type cast it as (int) and it'll make sure it's a number. e.g. for a supposed-to-be-numeric $_GET['id']:

    $_GET['id'] = (int) $_GET['id'];
    // Now it's safe to use $_GET['id'] in a query

    and of course don't put quotes around the value of $_GET['id'] in the query.
    - Matt ** Ignore old signature for now... **
    Dr.BB - Highly optimized to be 2-3x faster than the "Big 3."
    "Do not enclose numeric values in quotes -- that is very non-standard and will only work on MySQL." - MattR

  4. #4
    SitePoint Addict sojomy's Avatar
    Join Date
    Jul 2002
    Location
    Dallas, TX
    Posts
    349
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DR_LaRRY_PEpPeR
    if something is supposed to be numeric, there's no reason to use addslashes(), just type cast it as (int) and it'll make sure it's a number. e.g. for a supposed-to-be-numeric $_GET['id']:

    $_GET['id'] = (int) $_GET['id'];
    // Now it's safe to use $_GET['id'] in a query

    and of course don't put quotes around the value of $_GET['id'] in the query.
    So will this work?

    PHP Code:
    <?
    $SQL 
    mysql_query('SELECT * FROM Users WHERE UserID=' . (int)$_GET['UserID']);
    ?>

  5. #5
    Making a better wheel silver trophy DR_LaRRY_PEpPeR's Avatar
    Join Date
    Jul 2001
    Location
    Missouri
    Posts
    3,428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by sojomy
    So will this work?

    PHP Code:
    <?
    $SQL 
    mysql_query('SELECT * FROM Users WHERE UserID=' . (int)$_GET['UserID']);
    ?>
    yup, sure will. it just doesn't "permanently" change the value of $_GET['UserID']. but if you're only using it once in the script, that's ok.

  6. #6
    SitePoint Addict sojomy's Avatar
    Join Date
    Jul 2002
    Location
    Dallas, TX
    Posts
    349
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DR_LaRRY_PEpPeR
    yup, sure will. it just doesn't "permanently" change the value of $_GET['UserID']. but if you're only using it once in the script, that's ok.
    Cool, I have tons of scripts to go edit now. Filling all the possible holes when I see them...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •