| Re: PHP mysql_excape but need to search for those items [message #178364 is a reply to message #178363] |
Mon, 11 June 2012 18:38   |
J.O. Aho
Messages: 194
Registered: September 2010
Karma:
|
Senior Member |
|
|
Jerry Stuckle wrote:
> On 6/11/2012 1:01 PM, mrgushi wrote:
>> Jerry,
>> This is what I'm working with so far.
>>
>> not sure if I've escaped everything I needed too.
>>
>> $ENG = mysql_real_escape_string($ENG);
>> $result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");
>> $row = mysql_fetch_array( $result );
>>
>> The $ENG is the input from the search form..
>> The JS problem is valid but then again it will be in a locked down iOS
>> app using PhoneGAp. An I'll be using a HTTPs tunnel to the PHP
>> scripts.. use some sort of cookie with a SSL flag to lock it down. So
>> someone could JailBreak an iOS app and dig down in my settings and
>> figure out the JS but I don't think that likely but ur right I want to
>> take every precaution.
>>
> Yes, that will work very nicely (although it's not considered good form to use
> SELECT * - rather select the individual columns. It will save you heartache
> later).
>
> There are more ways than just jailbreaking the IPhone. There is no guarantee
> that the request even came from your app on an IPhone. The request can easily
> be faked in any number of ways. And there's no guaranteed way to "lock it
> down" and be sure, unless you don't make it ever available via the internet.
>
Don't forget man in the middle, using https will not protect against that.
--
//Aho
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]