Slashes or no slashes
in [Databases]
|
Prev: CURDATE
Next: PgWest 2010 CFP (second call)
From: Karl DeSaulniers on 24 Aug 2010 00:38 On Aug 23, 2010, at 10:35 PM, Chris wrote: > >> Just to make sure, cause I am ready to get past this. >> Is this correct? >> >> function confirmUP($username, $password){ >> /* Verify that user is in database */ >> $q = "SELECT password FROM ".TBL_USERS." WHERE username = >> '".mysql_real_escape_string($username)."'"; > > Perfect. > >> /* Retrieve password from result */ >> $dbarray = mysql_fetch_array($result); >> $dbarray['password'] = htmlspecialchars($dbarray['password']); // >> Or is >> this where I need to leave htmlspecialchars off too? > > Leave it off. > > You're not displaying $dbarray['password'] here - so you don't need > to use htmlspecialchars. > > -- > Postgresql & php tutorials > http://www.designmagick.com/ > > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Got it. So only when I am going to diplay the result from the database. I see. But for comparing $dbarray['password'] to $password, don't I have to escape $password and then md5 it? TIA Karl DeSaulniers Design Drumm http://designdrumm.com @david.lopez: Your emails are getting blocked by my isp, so I have not seen any of your emails. Not ignoring you, promise.
From: Chris on 24 Aug 2010 00:43 > Got it. So only when I am going to diplay the result from the database. > I see. Or email (or otherwise present it to the user), yes. > But for comparing $dbarray['password'] to $password, don't I have to > escape $password and then md5 it? Right. -- Postgresql & php tutorials http://www.designmagick.com/
From: Karl DeSaulniers on 24 Aug 2010 01:39 On Aug 23, 2010, at 11:38 PM, Karl DeSaulniers wrote: > > On Aug 23, 2010, at 10:35 PM, Chris wrote: > >> >>> Just to make sure, cause I am ready to get past this. >>> Is this correct? >>> >>> function confirmUP($username, $password){ >>> /* Verify that user is in database */ >>> $q = "SELECT password FROM ".TBL_USERS." WHERE username = >>> '".mysql_real_escape_string($username)."'"; >> >> Perfect. >> >>> /* Retrieve password from result */ >>> $dbarray = mysql_fetch_array($result); >>> $dbarray['password'] = htmlspecialchars($dbarray['password']); // >>> Or is >>> this where I need to leave htmlspecialchars off too? >> >> Leave it off. >> >> You're not displaying $dbarray['password'] here - so you don't >> need to use htmlspecialchars. >> >> -- >> Postgresql & php tutorials >> http://www.designmagick.com/ >> >> >> -- >> PHP Database Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> > > > Got it. So only when I am going to diplay the result from the > database. I see. > But for comparing $dbarray['password'] to $password, don't I have > to escape $password and then md5 it? > TIA > > > Karl DeSaulniers > Design Drumm > http://designdrumm.com > > @david.lopez: Your emails are getting blocked by my isp, so I have > not seen any of your emails. Not ignoring you, promise. > > -- > PHP Database Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > In the case that your comparing a field to a field in the database (the field name) do you escape that or because it is hardcoded you dont need to? My thoughts are that you need to escape all data going in. But I do not know if it will match. EG: /** * updateProduct */ function updateProduct($ProductName, $field, $value){ $q = "UPDATE ".TBL_PRODUCTS." SET ".$field." = '".mysql_real_escape_string($value)."' WHERE ProductName = '".mysql_real_escape_string($ProductName)."'"; return $this->query($q); } Do I escape $field? mysql_real_escape_string($field)? $field is not a user entered value, but should I escape to block hacks? If $field = "username", will mysql_real_escape_string($field) match? My thoughts are yes because there are no special character in my hardcode and if there was an attempt to do an injection with this var, it would catch it. am I on the right path with my thoughts? TIA Karl DeSaulniers Design Drumm http://designdrumm.com
From: Chris on 24 Aug 2010 02:13
> > In the case that your comparing a field to a field in the database (the > field name) > do you escape that or because it is hardcoded you dont need to? > My thoughts are that you need to escape all data going in. Correct. A field name is not data though. You've already validated it (somehow, either by hardcoding it, or checking it against field names to make sure it's a proper field and doesn't contain weird chars). > But I do not know if it will match. > > EG: > > /** > * updateProduct */ > function updateProduct($ProductName, $field, $value){ > $q = "UPDATE ".TBL_PRODUCTS." SET ".$field." = > '".mysql_real_escape_string($value)."' WHERE ProductName = > '".mysql_real_escape_string($ProductName)."'"; > return $this->query($q); > } > > Do I escape $field? mysql_real_escape_string($field)? You can only escape data, not field or table (or database) names. -- Postgresql & php tutorials http://www.designmagick.com/ |