SitePoint Sponsor

User Tag List

Page 2 of 2 FirstFirst 12
Results 26 to 31 of 31

Thread: $_get?

  1. #26
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Plano
    Posts
    643
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    stripslashes and mysql_real_escape_string are doing 2 completely different things.

    you are using stripslashes so the content you get from the URL is readable by the user. stripslashes is not equivalent to validating, it is just making the content more readable by whoever reads your webpage.

    you are using mysql_real_escape_string so the content you get from the URL can be safely entered into mysql, without fear of mysql injections, as dylan B stated above. this, again, isn't exactly "validating", but it will for the most part protect you against getting your database hijacked, which stripslashes will not do (if you think about it...stripslashes just removes one slash...if they wanted all they would have to do is add another, and they have what they wanted to insert into your db).

    if you want to "validate" your data, you will need to run tests against the data to make sure it meets specific requirements. if you have a page number, for example, you might want to check that a) its a number, b) its a positive number, c) the number is less than your max pages. and that, of course, is the most secure way to protect your application from being abused.

    anyone else feel free to add to this.

  2. #27
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you, Xtrem3.

    The reason I am adding strip slashes, is simply because it does need to be readable by the user, it would be terribly ugly if someone came to sitepoint and there where backslashes everywhere, and actually quite unprofessional in my opinion. I will validate it, but first I want it to work. My site is not very popular at all, so I'm not worried about a hacker getting in the right now and messing with me, and besides that, the query isn't working, so it really doesn't matter at the moment.

    Thanks again,
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  3. #28
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can someone help me out here, please?
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  4. #29
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Plano
    Posts
    643
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i was clarifying the difference because in your code, you have mixed the two.

    PHP Code:
     $newstitle mysql_escape_string($_POST['newstitle']);
    $newstext mysql_escape_string($_POST['newstext']);
    $title_stripped stripslashes($newstitle);
    $text_stripped stripslashes($newstext);
    $id stripslashes($_GET['id']);
    echo 
    '<input value="'.$title_stripped.'" /><br />';
    echo 
    ''.$text_stripped.'<br /><br />';
    $updatetitle = @mysql_query('UPDATE news SET newstitle='.$title_stripped.'
        WHERE id='
    .$id.'');
    $updatetext = @mysql_query('UPDATE news SET newstext='.$text_stripped.'
        WHERE id='
    .$id.''); 
    you used the same value in both the <input> field and the mysql query. what i would recommend is stripping the tags at the beginning of your file, so throughout the entire file you have correct data. then, right before you make an sql query, escape the string, which will make sure your query works correctly. also it is better to use mysql_real_escape_string as opposed to mysql_escape_string.

    i have modified the code...

    PHP Code:
    // get variables from URL
    $newstitle stripslashes($_POST['newstitle']);
    $newstext stripslashes($_POST['newstext']);
    $id stripslashes($_GET['id']);

    echo 
    '<input value="'.$newstitle.'" /><br />';
    echo 
    ''.$newstext.'<br /><br />';

    //make variables safe for SQL
    $newstitle_safe mysql_real_escape_string($newstitle);
    $newstext_safe mysql_real_escape_string($newstext);
    $id_safe mysql_real_escape_string($id);
    $updatetitle = @mysql_query("UPDATE news SET newstitle='$newstitle_safe'
        WHERE id='
    $id_safe'");
    $updatetext = @mysql_query("UPDATE news SET newstext='$newstext_safe'
        WHERE id='
    $id_safe'"); 
    i hope this makes sense

  5. #30
    011110010110000101111001 jabird's Avatar
    Join Date
    Aug 2004
    Location
    U.S.
    Posts
    593
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    hehe, that code worked Thank you sooo much... Now I just have to make it so I don't have to type html,.... BBCode here I come...

    Thanks again, that is so great, I can put "'s, ''s ('s )'s I can even try to escape the quotes before hand (which is how I believe Injections happen).. don't hackers do something like:

    \"INSERT INTO bleh SET something=5232kl3ja;s\"

    I know they'd probly never do a query like that, cause its pointless, but it was an example...
    ~Jabird
    Jabird.com
    If I were binary... I'd be all 1's for you.
    BBCode trouble?

  6. #31
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Plano
    Posts
    643
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    make sure you have single quotes around field values that aren't numbers, that was one of the problems with the code you had before.

    \"INSERT INTO bleh SET something=5232kl3ja;s\"
    should be
    \"INSERT INTO bleh SET something='5232kl3ja;s'\"
    i kno you probably just typed that out real quick, but i just wanted to make sure you were clear on that.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •