| Re: BB type posting - is this secure? [message #176403 is a reply to message #176398] |
Fri, 30 December 2011 20:39   |
A
Messages: 17
Registered: June 2011
Karma:
|
Junior Member |
|
|
"Michael Joel" <no(at)please(dot)com> wrote in message
news:c6krf7l6t9mni7ql4nkua2c53kspied1g0(at)4ax(dot)com...
> stripslashes is used as it comes out of the db, addslashes are used as
> it goes in (but as mention mysql_real_escape_string is to be used).
just forget about strip/addslashes. use parametrized statements. it is
really easy and you won't have to think about tons of things.
it took me ages to switch to them, never looked back since as it is just so
much easier.
when you use parametrized statements then on every ? or :param: it replaces
it with raw data. it doesn't care whether you are inserting single quote or
backslash. it just inserts it as raw data.
also, parametrized statements are FASTER. you don't have to convert strings
from one format to another, escape them etc., you just insert them. database
engine doesn't need to prepare virtual machine for parsing queries, again it
is faster, especially if you use SQLite.
and finally, it is safe agains first level of sql injection attacks (data to
database).
and also use PDO. again, so much easier it does tons of things for you.
so here is how you filter input data:
1. use filter_var or other method of removing any unwanted input (for
example if you expect a number then filter out any other characters except
0123456789, easily done with filter_var)
2. use pdo / parametrized statements to insert data into database for
additional security and to avoid sql injection
3. when displaying this data back on console use htmlentities to correcly
print < > into < > etc.
and that is all there is to it.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]