SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Addict tlacaelelrl's Avatar
    Join Date
    Apr 2011
    Location
    Mexico city, Mexico
    Posts
    353
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Security in dynamically generated queries

    Hello everyone!

    I am developing a script that uses dynamically generated queries based on user input however those fields can be modified using a tool such as firebug and would like to know if someone can tell me if I am doing things the right way or if there is a way to sanitize the queries in a better way, basically for all fields in the form the values are limited so I make sure that the passed value is in an array of accepted values otherwise the query is stopped but there is a field where the user can enter text to search for and that cannot be limited to certain values the way I did with the rest of the fields so I am using mysql_real_escape_string only basically for the text field I do the following

    PHP Code:
    if ( $delimiters['filterword'] != null ){    
            
    $delimiters['filterword'] = mysql_real_escape_string $delimiters['filterword'] );
            
    $query .= $where 'title LIKE "%' $delimiters['filterword'] . '%"';
            
    $query2 .= $where 'title LIKE "%' $delimiters['filterword'] . '%"';
        } 
    And for the rest of the fileds where the values are limited to an expected value I do this

    PHP Code:
    if ( ( int ) $delimiters['lang'] != ){
            if ( 
    in_array $delimiters['lang'], $expectedValuestrue ) === false )
                die ( 
    $err );
            
    $query .= $where $and ' language = "' $delimiters['lang'] . '"';
            
    $query2 .= $where $and ' language = "' $delimiters['lang'] . '"';
        } 
    Is this a good way of doing it or should I be sanitizing the data some other way?
    Do you get bothered because I do the same thing every day?
    Do you question why I do it?
    Then find something that you actually like doing!!!

    Stop thinking on what I do.

  2. #2
    SitePoint Evangelist
    Join Date
    Oct 2005
    Location
    Michigan, USA
    Posts
    434
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    That's good. You may as well escape all string input - even if they're in a pre-set list of yours. You may add some later with a character which needs to be escaped and it could take some time to track down the problem when it comes up.

    And any input you expect to be an integer, cast to int, float cast to float, etc.
    - Robert

  3. #3
    SitePoint Addict tlacaelelrl's Avatar
    Join Date
    Apr 2011
    Location
    Mexico city, Mexico
    Posts
    353
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by QMonkey View Post
    That's good. You may as well escape all string input - even if they're in a pre-set list of yours. You may add some later with a character which needs to be escaped and it could take some time to track down the problem when it comes up.

    And any input you expect to be an integer, cast to int, float cast to float, etc.
    Thank you for the input
    Do you get bothered because I do the same thing every day?
    Do you question why I do it?
    Then find something that you actually like doing!!!

    Stop thinking on what I do.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •