SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Aug 2006
    Posts
    164
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question Security vs user input

    Hi,

    what method are you normally calling before inserting the user data to the database (MySQL) and then after retrieving the data.

    Is mysql_real_escape_string() enough now or do you have better approach?

    Cheers!
    http://www.yourshoutbox.com <- FREE chat for your website - limited offer
    http://www.smartchatbox.com <- let your visitors talk

  2. #2
    SitePoint Zealot
    Join Date
    Jan 2011
    Location
    Portland
    Posts
    148
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is a tough to answer as this depends on your needs. For example does this query contain user input?. Is this wrapped in a method or function?. As well other things apply such as control characters, html.
    coming soon sitejuju.com my new development portfolio

  3. #3
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,058
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    You may want to read the following thread, it has a good conversation on when to use mysql_real_escape_string versus htmlentities or htmlspecialchars
    http://www.sitepoint.com/forums/show...while-matching
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,785
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    1. Validate all user input to make sure that each field contains something that looks valid for that field. Apart from security issues with invalid data you also don't want to be trying to process junk. After all no one has the name "delete from xyz_table where name<>''" and no one has the name '@@##@@##@@##@@##@@##' either so you don't want to process either of those (using mysql_real_escape_string would prevent the first of these being run as SQL but would not prevent it being inserted into the database).
    2. Provided you use separate prepare and bind statements for your database calls tyou don't need anything special to be able to save your validated user input to the database
    mysql_real_escape_string() used to be necessary when the SQL and data had to be all jumbled together in the one call in order to escape parts of the data that could be confused with the SQL.

    3. sanitize all data read from the database so as to strip out anything that might be harmful if the database has been tampered with (if it hasn't been tampered with then there shouldn't be anything harmful in there)
    4. use htmlentities or htmlspecialchars if you are writing output into a web page in order to make sure that it doesn't get confused with the HTML and that characters not properly recognised by the charset defined for the page still display correctly by using the appropriate entity codes.


    Of these the most important step is the first one - VALIDATION
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •