SitePoint Sponsor

User Tag List

Results 1 to 7 of 7

Hybrid View

  1. #1
    SitePoint Addict agentforte's Avatar
    Join Date
    May 2007
    Location
    Toronto, ON, Canada
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Order of Escape?

    I am making a simple survey and I want to save the results to a MySQL database.

    Could anyone let me know if this is the right order for validating and escaping things?
    (mainly, the approach I am thinking is to only change the values right before using them in sql or outputting to browser)

    in other words, is there a danger of PHP validation without slashes?

    1) Receive $_POST values, stripping slashes if magic quotes is on

    2) put POST values into variables

    4) validate POST values.

    3) stripslashes and htmlspecialchars just before output to screen

    5) mysql_real_escape_string just befor entry into database.


    I am nost sure if I should be escaping strings before validation. Here are the functions I use:

    PHP Code:
    // strips slashes if magic quotes on
    function stripping($string){
        if (!
    get_magic_quotes_gpc()){
        return 
    $string;
        } else {
        return 
    stripslashes($string);
        }
    }

    // prepares data to be output to page
    function htmlsafe($string){
            return 
    htmlspecialchars($string);
        }
    }
    // prepares data for database entry
    function sqlsafe($string) {
        
    $string=mysql_real_escape_string($string);
        return 
    $string;

    And here is my validation so far:

    PHP Code:
    // set variables 
    $title stripping($_POST['title']);
    $selection stripping($_POST['selection']);
    $other stripping($_POST['other']);

    // to check selection, and store error message
    $array = ('selection1''selection2''selection3');
    $err_message '';

        if (!
    strlen($title) > 0) {
        
    $title FALSE;
        
    $err_message .= 'A title was not submitted. Please enter a title.<br />';
        }

        if (!
    in_array($selection$array) {
        
    $title FALSE;
        
    $err_message .= 'A valid selection was not made. Please make a selection.<br />';
        }

        if (
    $other == 'badword') {
        
    $other FALSE;
        
    $err_message .= 'You cannot use the word ' htmlsafe($badword) . 'Please submit another word.<br />';

        if (
    $err_message 0){
        echo 
    $err_message;
        } else {
        echo 
    'Success!';
        
    // continue to SQL insert
        

    And finally here is my sql that will be inserted

    PHP Code:
    $title sqlsafe($title);
    $selection sqlsafe($selection);
    $other sqlsafe($other);

    $sql "INSERT INTO `tablename` (`col1`, `col2` , `col3` , `col4`) VALUES (NULL , `$title`, `$selection`, `$other`)"

  2. #2
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yup, looks good. Remember that if you escape your string(s) before validating them, you'll have to account for the extra escape characters in your validation. Usually it's just easier to validate before you escape.

    Just a side note: I usually don't put escaped values back into their variables. Reason being that you may want to display the values later on, and all those extra escape characters would just get in the way. I'd do your SQL statement this way:
    PHP Code:
    $sql "INSERT INTO `tablename` (`col1`, `col2` , `col3` , `col4`) VALUES (NULL , `".
    sqlsafe($title)."`, `".
    sqlsafe($selection)."`, `".
    sqlsafe($other)."`)"
    Yes, it's a little annoying to do it that way, but it's easier than trying to strip out slashes later (especially since there is no true complement to mysql_real_escape_string - it's character-set sensitive, while stripslashes is not).
    PHP questions? RTFM
    MySQL questions? RTFM

  3. #3
    SitePoint Addict agentforte's Avatar
    Join Date
    May 2007
    Location
    Toronto, ON, Canada
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Thanks!

    Thanks Kromey,

    The suggestion for escaping sql right in the sql query was helpful. I think I did this in the past, I just forgot.

    Is there any way that an unescaped value can mess up a php validation?

    for example is the following safe?

    PHP Code:
    if ($_POST['unescapedvalue'] == 'password' ) {
    //do something secret 

    Being more specific, can they interfere with an "if" statement?

    I imagine the only way is if the validation statement is something like so (not a practical example, I just want to know how it works):

    PHP Code:
    if ('prepend part of a string' $_POST['unescapedvalue'] == 'password') {
    //do something secret 

    where $_POST['unescapedvalue'] is entered as
    ' == 1 || 1==1 || 1
    and the statement becomes:

    if ('prepend part of a string' == 1 || 1==1 || 1 == 'password')

    Would PHP see the second statement as true, allowing the script to "do something secret" OR
    would php just make the quote a part of the string and treat it like the following?

    if ('prepend part of a string/' ==1 || 1==1 || 1==' 'password')

    where the string is
    ('prepend part of a string/' ==1 || 1==1 || 1==)

  4. #4
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Validation of the kind you are referring to is only necessary when entering data into a database (Google: SQL injection), displaying it to a user (Google: XSS), or running user input through e.g. eval (a really really bad idea in general).

    As far as your example with a string in an if statement, PHP sees the user input as a string and never evaluates it as PHP code, even when appended to another string. The only time PHP would evaluate such a string would be if you ran it through eval or put it into a file and then used include. Maybe a couple other ways to make it execute. But in general use, no, PHP will not execute any kind of user input.
    PHP questions? RTFM
    MySQL questions? RTFM

  5. #5
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by agentforte View Post
    3) stripslashes and htmlspecialchars just before output to screen
    You should not stripslashes on data, before output.

  6. #6
    SitePoint Addict agentforte's Avatar
    Join Date
    May 2007
    Location
    Toronto, ON, Canada
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by kyberfabrikken View Post
    You should not stripslashes on data, before output.
    What if magic quotes are on? See the stripping function I have. (only strips if magic quotes are on)


    I assume you mean the same thing as Kromey:

    Quote Originally Posted by KROMEY
    Just a side note: I usually don't put escaped values back into their variables. Reason being that you may want to display the values later on, and all those extra escape characters would just get in the way...

    ... it's easier than trying to strip out slashes later (especially since there is no true complement to mysql_real_escape_string - it's character-set sensitive, while stripslashes is not)

  7. #7
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by agentforte View Post
    I assume you mean the same thing as Kromey:
    No, not really. I've often seen that people assume that since you use addslashes (Or mysql_escape_string) on values, which are inserted into the database, you should use stripslashes on values, retrieved from the database. This is not the case. The escaping of data is there to protect the transport of data, to the database. Once they are in the database, they aren't escaped any more. Thus, when you retrieve data, it will come back in its "unescaped" form. This illustrates:
    Code:
    mysql> create table test_of_escape (id serial, foo varchar(255));
    Query OK, 0 rows affected (0.22 sec)
    
    mysql> insert into test_of_escape values (NULL, "this is a single quote: '");
    Query OK, 1 row affected (0.05 sec)
    
    mysql> insert into test_of_escape values (null, 'this is a single quote: \'');
    Query OK, 1 row affected (0.06 sec)
    
    mysql> select * from test_of_escape;
    +----+---------------------------+
    | id | foo                       |
    +----+---------------------------+
    |  1 | this is a single quote: ' |
    |  2 | this is a single quote: ' |
    +----+---------------------------+
    2 rows in set (0.00 sec)
    
    mysql>


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •