FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » BB type posting - is this secure?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: BB type posting - is this secure? [message #176403 is a reply to message #176398] Fri, 30 December 2011 20:39 Go to previous messageGo to previous message
A is currently offline  A
Messages: 17
Registered: June 2011
Karma:
Junior Member
"Michael Joel" <no(at)please(dot)com> wrote in message
news:c6krf7l6t9mni7ql4nkua2c53kspied1g0(at)4ax(dot)com...
> stripslashes is used as it comes out of the db, addslashes are used as
> it goes in (but as mention mysql_real_escape_string is to be used).

just forget about strip/addslashes. use parametrized statements. it is
really easy and you won't have to think about tons of things.
it took me ages to switch to them, never looked back since as it is just so
much easier.

when you use parametrized statements then on every ? or :param: it replaces
it with raw data. it doesn't care whether you are inserting single quote or
backslash. it just inserts it as raw data.
also, parametrized statements are FASTER. you don't have to convert strings
from one format to another, escape them etc., you just insert them. database
engine doesn't need to prepare virtual machine for parsing queries, again it
is faster, especially if you use SQLite.

and finally, it is safe agains first level of sql injection attacks (data to
database).

and also use PDO. again, so much easier it does tons of things for you.

so here is how you filter input data:

1. use filter_var or other method of removing any unwanted input (for
example if you expect a number then filter out any other characters except
0123456789, easily done with filter_var)
2. use pdo / parametrized statements to insert data into database for
additional security and to avoid sql injection
3. when displaying this data back on console use htmlentities to correcly
print < > into &lt; &gt; etc.

and that is all there is to it.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Help with script that retrieve remote files
Next Topic: Give me the names of some CRM php projects
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 02:16:25 GMT 2024

Total time taken to generate the page: 0.04364 seconds