Slashes or no slashes
in [Databases]
|
Prev: CURDATE
Next: PgWest 2010 CFP (second call)
From: Karl DeSaulniers on 23 Aug 2010 21:49 On Aug 23, 2010, at 8:35 PM, Chris wrote: > >>> You use mysql_real_escape_string for queries on the way in. >>> >>> $query = "select * from table where >>> name='".mysql_real_escape_string($_POST['name'])."'"; >>> >>> You use htmlspecialchars on the way out: >>> >>> $value = htmlspecialchars($row['name']); >>> >>> >>> -- >>> Postgresql & php tutorials >>> http://www.designmagick.com/ >>> >>> >>> -- >>> PHP Database Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >> >> >> Ah.. thanks Chris. >> If I want to compare that value I get from the database to what a >> user >> entered, >> do I escape the value they entered or add htmlspecialchars to it >> before >> comparing it to what comes out of the database. >> Sorry this is such a PHP 101 question. If you have time to respond, >> please do, otherwise no worries, I am sure I will figure it out. > > If you want to compare, you're doing a query - so use > mysql_real_escape_string: > > $query = "select blah from table where name='" . > mysql_real_escape_string($_POST['name']) . "'"; > > > When you print results, you use htmlspecialchars: > > echo "Your search for " . htmlspecialchars($_POST['name']) . " > returned X results<br/>"; > > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Thanks Again Chris, To be more specific. Is this correct? function confirmUP($username, $password){ $username = mysql_real_escape_string($username); /* Verify that user is in database */ $q = "SELECT password FROM TBL-U WHERE username = '$username'"; $result = $this->query($q); if(!$result || (mysql_numrows($result) < 1)){ return 1; //Indicates username failure } /* Retrieve password from result */ $dbarray = mysql_fetch_array($result); $dbarray['password'] = htmlspecialchars($dbarray['password']); $password = mysql_real_escape_string(md5($password)); $password = htmlspecialchars($password); /* Validate that password is correct */ if($password == $dbarray['password']){ return 0; //Success! Username and password confirmed } else{ return 2; //Indicates password failure } } The password was added to the database with md5() applied after escaping. Thank you for responding so quickly. Karl DeSaulniers Design Drumm http://designdrumm.com
From: Chris on 23 Aug 2010 22:31 > To be more specific. Is this correct? > > function confirmUP($username, $password){ > $username = mysql_real_escape_string($username); > > /* Verify that user is in database */ > $q = "SELECT password FROM TBL-U WHERE username = '$username'"; I normally do it in the query in case you use the variable somewhere else but here it's ok because you don't use $username elsewhere. Be careful though, it may bite you and it will be difficult to track down. eg $q = "select password from table where username='" . mysql_real_escape_string($username) . "'"; echo "You entered " . htmlspecialchars($username) . ", either it was wrong or the password was wrong. Try again."; Doing the escape_string before the query means you end up with (basically) htmlspecialchars(mysql_real_escape_string($username)); which will cause weird characters to show up in certain cases. > $result = $this->query($q); > if(!$result || (mysql_numrows($result) < 1)){ > return 1; //Indicates username failure > } > > /* Retrieve password from result */ > $dbarray = mysql_fetch_array($result); > $dbarray['password'] = htmlspecialchars($dbarray['password']); > $password = mysql_real_escape_string(md5($password)); > $password = htmlspecialchars($password); You're not displaying the password so don't htmlspecialchars it. Just: if ($dbarray['password'] == md5($password)) { return 0; // success! } Only specialchars it when you display it (like the echo above). -- Postgresql & php tutorials http://www.designmagick.com/
From: Karl DeSaulniers on 23 Aug 2010 23:04 On Aug 23, 2010, at 9:31 PM, Chris wrote: > >> To be more specific. Is this correct? >> >> function confirmUP($username, $password){ >> $username = mysql_real_escape_string($username); >> >> /* Verify that user is in database */ >> $q = "SELECT password FROM TBL-U WHERE username = '$username'"; > > I normally do it in the query in case you use the variable > somewhere else but here it's ok because you don't use $username > elsewhere. Be careful though, it may bite you and it will be > difficult to track down. > > eg > > $q = "select password from table where username='" . > mysql_real_escape_string($username) . "'"; > > echo "You entered " . htmlspecialchars($username) . ", either it > was wrong or the password was wrong. Try again."; > > Doing the escape_string before the query means you end up with > (basically) > > htmlspecialchars(mysql_real_escape_string($username)); > > which will cause weird characters to show up in certain cases. > >> $result = $this->query($q); >> if(!$result || (mysql_numrows($result) < 1)){ >> return 1; //Indicates username failure >> } >> >> /* Retrieve password from result */ >> $dbarray = mysql_fetch_array($result); >> $dbarray['password'] = htmlspecialchars($dbarray['password']); >> $password = mysql_real_escape_string(md5($password)); >> $password = htmlspecialchars($password); > > You're not displaying the password so don't htmlspecialchars it. > > Just: > > if ($dbarray['password'] == md5($password)) { > return 0; // success! > } > > Only specialchars it when you display it (like the echo above). > > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Ahhh. I see. But I do still put the escape on what they entered so it will match what is in the database. Ok. Thank you Thank you Thank you. Best, Karl DeSaulniers Design Drumm http://designdrumm.com
From: Karl DeSaulniers on 23 Aug 2010 23:15 On Aug 23, 2010, at 10:04 PM, Karl DeSaulniers wrote: > On Aug 23, 2010, at 9:31 PM, Chris wrote: > >> >>> To be more specific. Is this correct? >>> >>> function confirmUP($username, $password){ >>> $username = mysql_real_escape_string($username); >>> >>> /* Verify that user is in database */ >>> $q = "SELECT password FROM TBL-U WHERE username = '$username'"; >> >> I normally do it in the query in case you use the variable >> somewhere else but here it's ok because you don't use $username >> elsewhere. Be careful though, it may bite you and it will be >> difficult to track down. >> >> eg >> >> $q = "select password from table where username='" . >> mysql_real_escape_string($username) . "'"; >> >> echo "You entered " . htmlspecialchars($username) . ", either it >> was wrong or the password was wrong. Try again."; >> >> Doing the escape_string before the query means you end up with >> (basically) >> >> htmlspecialchars(mysql_real_escape_string($username)); >> >> which will cause weird characters to show up in certain cases. >> >>> $result = $this->query($q); >>> if(!$result || (mysql_numrows($result) < 1)){ >>> return 1; //Indicates username failure >>> } >>> >>> /* Retrieve password from result */ >>> $dbarray = mysql_fetch_array($result); >>> $dbarray['password'] = htmlspecialchars($dbarray['password']); >>> $password = mysql_real_escape_string(md5($password)); >>> $password = htmlspecialchars($password); >> >> You're not displaying the password so don't htmlspecialchars it. >> >> Just: >> >> if ($dbarray['password'] == md5($password)) { >> return 0; // success! >> } >> >> Only specialchars it when you display it (like the echo above). >> >> -- >> Postgresql & php tutorials >> http://www.designmagick.com/ >> >> >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > > Ahhh. I see. > But I do still put the escape on what they entered so it will match > what is in the database. > Ok. Thank you Thank you Thank you. > > Best, > > Karl DeSaulniers > Design Drumm > http://designdrumm.com > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Just to make sure, cause I am ready to get past this. Is this correct? function confirmUP($username, $password){ /* Verify that user is in database */ $q = "SELECT password FROM ".TBL_USERS." WHERE username = '".mysql_real_escape_string($username)."'"; $result = $this->query($q); if(!$result || (mysql_numrows($result) < 1)){ return 1; //Indicates username failure } /* Retrieve password from result */ $dbarray = mysql_fetch_array($result); $dbarray['password'] = htmlspecialchars($dbarray ['password']); //Or is this where I need to leave htmlspecialchars off too? /* Validate that password is correct */ if(md5($password) == $dbarray['password']){ return 0; //Success! Username and password confirmed } else{ return 2; //Indicates password failure } } Karl DeSaulniers Design Drumm http://designdrumm.com
From: Chris on 23 Aug 2010 23:35
> Just to make sure, cause I am ready to get past this. > Is this correct? > > function confirmUP($username, $password){ > /* Verify that user is in database */ > $q = "SELECT password FROM ".TBL_USERS." WHERE username = > '".mysql_real_escape_string($username)."'"; Perfect. > /* Retrieve password from result */ > $dbarray = mysql_fetch_array($result); > $dbarray['password'] = htmlspecialchars($dbarray['password']); //Or is > this where I need to leave htmlspecialchars off too? Leave it off. You're not displaying $dbarray['password'] here - so you don't need to use htmlspecialchars. -- Postgresql & php tutorials http://www.designmagick.com/ |