A couple of security questions

**coiL** · Mar 23, 2003 00:42

Hi,

I was just doing some reading through threads about security issues and php. There were a few things that I would like clarified..

"As a general rule, always escape any variable which will be used in a query, where the value of the variable was obtained from "outside" e.g. a form post or a cookie - you'll feel generally more relaxed if you do...." - Exactly how do you 'escape' a variable?

Another post mentioned that you should not use quotes around any variables that have numeric values in a query. Does this mean I should be writing

PHP Code:


<?
$number = 3;
 
$sql = "select * from ages where age = $number ";
 
// rather then
$sql = "select * from ages where age = '$number' ";
?>

?

**Mike** · Mar 23, 2003 01:13

For your second question, yes, the first one

For your first question... they probably meant to error check it. IF the variable should only be numeric, check that. If it should only be alphanumeric, check that. If it cant have any special characters, set that...etc...

**DR_LaRRY_PEpPeR** · Mar 23, 2003 02:02

Originally Posted by coiL

Exactly how do you 'escape' a variable?

with addslashes() if magic_quotes_gpc is Off. otherwise it's already done and you don't need to do anything. of course i recommend my code in the coding tips thread to make sure magic_quotes_gpc is always "Off."

see people, this is why magic_quotes_gpc should never have existed.

it messes things up in so many cases when its purpose was to make things "easier."

well, it'd be super easy if it didn't exist. you'd tell people one thing that would always work right with no if's and's or but's: use addslashes().

that's not the case however. man i hate PHP sometimes. no other language i've ever heard of does things as stupid as register_globals and magic_quotes.

Originally Posted by coiL

Another post mentioned that you should not use quotes around any variables that have numeric values in a query.

i think that's my signature!

if something is supposed to be numeric, there's no reason to use addslashes(), just type cast it as (int) and it'll make sure it's a number. e.g. for a supposed-to-be-numeric $_GET['id']:

$_GET['id'] = (int) $_GET['id'];
// Now it's safe to use $_GET['id'] in a query

and of course don't put quotes around the value of $_GET['id'] in the query.

**sojomy** · Mar 23, 2003 11:33

Originally Posted by DR_LaRRY_PEpPeR

if something is supposed to be numeric, there's no reason to use addslashes(), just type cast it as (int) and it'll make sure it's a number. e.g. for a supposed-to-be-numeric $_GET['id']:

$_GET['id'] = (int) $_GET['id'];
// Now it's safe to use $_GET['id'] in a query

and of course don't put quotes around the value of $_GET['id'] in the query.

So will this work?

PHP Code:


<?
$SQL = mysql_query('SELECT * FROM Users WHERE UserID=' . (int)$_GET['UserID']);
?>

**DR_LaRRY_PEpPeR** · Mar 23, 2003 17:47

Originally Posted by sojomy

So will this work?

PHP Code:


<?

$SQL = mysql_query('SELECT * FROM Users WHERE UserID=' . (int)$_GET['UserID']);

?>

yup, sure will.

it just doesn't "permanently" change the value of $_GET['UserID']. but if you're only using it once in the script, that's ok.

**sojomy** · Mar 23, 2003 21:59

Originally Posted by DR_LaRRY_PEpPeR

yup, sure will.

it just doesn't "permanently" change the value of $_GET['UserID']. but if you're only using it once in the script, that's ok.

Cool, I have tons of scripts to go edit now. Filling all the possible holes when I see them...

User Tag List

Thread: A couple of security questions

Thread Tools

Display

A couple of security questions

Bookmarks

Bookmarks

Posting Permissions