Injection (php-mysql) - Page 2

**-Nick-** · 11-26-2007, 11:51 PM

Use this

PHP Code:

  $var = striptags($var);

????: NamePros.com http://www.namepros.com/programming/399017-injection-php-mysql.html
$var = htmlspecialchars($var);

$var = trim($var);

$var = stripslashes($var);

$var = mysql_real_escape_string($var);

Peter · 11-27-2007, 06:26 AM

Originally Posted by -Nick-

Use this

PHP Code:

  $var = striptags($var);

$var = htmlspecialchars($var);

$var = trim($var);

$var = stripslashes($var);

????: NamePros.com http://www.namepros.com/showthread.php?t=399017
$var = mysql_real_escape_string($var);

You should not run a variable through stripslashes unless it has been run through addslashes or magic_quotes_gpc otherwise you could be causing problems.

baris22 · 11-27-2007, 04:05 PM

I found another one.

If i try to enter this to my database it does not work.

PHP Code:

   
To: x@x.org 

????: NamePros.com http://www.namepros.com/showthread.php?t=399017

(There are line breaks before and after)

nick · 11-28-2007, 06:00 AM

what happens when you try this:

Code:

$query="INSERT INTO `filedetails` VALUES ('', '$type', '$title', '$description', '$links','0000000000')";

xrvel · 11-29-2007, 02:33 AM

Originally Posted by peter@flexiwebhost

You should not run a variable through stripslashes unless it has been run through addslashes or magic_quotes_gpc otherwise you could be causing problems.

Usually, i only stripslashes the input and addslashes it when i want to display it. Maybe you can explain what kind of problem?

Peter · 11-29-2007, 05:49 AM

Originally Posted by xrvel

Usually, i only stripslashes the input and addslashes it when i want to display it. Maybe you can explain what kind of problem?

If you add slashes to something that has already been run through add slashes (that is effectively what magic_quotes_gps does).

You should not be using add slashes for data that is going to be output to the browser. The function was intended to make data safe for inputting into a database and will not make data safe for outputting to the user. The function you should be using is htmlspecialchars() or htmlentities().

Even if you use add slashes for data that is going to be input into the database it does not take into consideration of what database you are inserting too. Many characters for example that are special characters in mySQl will remain untouched and will alter how your query will run.

xrvel · 11-29-2007, 05:57 AM

Originally Posted by peter@flexiwebhost

If you add slashes to something that has already been run through add slashes (that is effectively what magic_quotes_gps does).

You should not be using add slashes for data that is going to be output to the browser. The function was intended to make data safe for inputting into a database and will not make data safe for outputting to the user. The function you should be using is htmlspecialchars() or htmlentities().
????: NamePros.com http://www.namepros.com/showthread.php?t=399017

Even if you use add slashes for data that is going to be input into the database it does not take into consideration of what database you are inserting too. Many characters for example that are special characters in mySQl will remain untouched and will alter how your query will run.

Thanks. i only thought about escaping single quotes, now i will filter other special chars ...

Peter · 11-29-2007, 06:08 AM

Originally Posted by xrvel

Thanks. i only thought about escaping single quotes, now i will filter other special chars ...
????: NamePros.com http://www.namepros.com/showthread.php?t=399017

In html your concerns are more with things such as <>. If you only escape quotes then the problem has not been sorted as an XSS attack would still be possible. Javascript and HTML are not strongly typed languages/markups they do not require the quotes. This is where the html functions I mention help.

In mySQL you have characters such as -- which starts a comment and ; which ends a query (and anything after is a new query) however this 1 depends on the method you use for connecting.

If you really want to make an SQL statement safe then use prepared statements. SQL injection is not possible when this method is used.

11-26-2007, 11:51 PM	#26 (permalink)
-Nick- I'll do it Join Date: Dec 2005 Location: India Posts: 6,927 Follow @keralpatel	Use this PHP Code: `$var = striptags($var); ????: NamePros.com http://www.namepros.com/programming/399017-injection-php-mysql.html $var = htmlspecialchars($var); $var = trim($var); $var = stripslashes($var); $var = mysql_real_escape_string($var);` __________________ Delq\|Fhur\|Kegh\|Vhir\|Juhy\|Ruuz\|Jyos\|Jupt\|Vhek Webmaster Blog \| Software Downloads Makeup & Beauty Tips \| Sponsor Ads

11-27-2007, 04:05 PM	THREAD STARTER #28 (permalink)
baris22 NamePros Member Join Date: Jan 2007 Posts: 98	I found another one. If i try to enter this to my database it does not work. PHP Code: `To: x@x.org ????: NamePros.com http://www.namepros.com/showthread.php?t=399017` (There are line breaks before and after)

11-28-2007, 06:00 AM	#29 (permalink)
nick NamePros Regular Join Date: Jun 2004 Location: Iowa City Posts: 705	what happens when you try this: Code: $query="INSERT INTO `filedetails` VALUES ('', '$type', '$title', '$description', '$links','0000000000')"; __________________ formally ninedogger ------ Want to talk to a stranger? -->\| Click Here \| TalkToAStranger.com \| <-- Meet New Friends

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)