looking for straight answer - what's the safest or joint-safest way to validate data?

**Birmingham** · 09-17-2006, 01:44 PM

Originally Posted by Twey

"PHP injection" is not a technical term, since it doesn't exist. It sounds to me as if you're expecting data submitted to your PHP script to be automatically executed somewhere along the way, thus compromising your security. It isn't. It's nothing more than a string until you pass it to something that tries to execute it in some form, such as eval(), shell_exec(), mysql_query(), or a browser (or a file, if that file has the wrong permissions/filename). Unless you are passing it to such a function, there is nothing to worry about.

ok twey, i'll take ur word for it until i get hacked or learn to hack by injecting self-executing php code into a script that reads form data, and if that happens i'll get back to you and on your conscience may it remain

**djr33** · 09-18-2006, 05:53 AM

You can't force something to execute as php from inside a string.

For example, try running this--
<?php echo "eval(1+1)"; ?>

The eval function executes the code, but since it's in quotes, as a string, it does nothing. It'll just print that.

**Birmingham** · 09-18-2006, 08:52 AM

Originally Posted by djr33

You can't force something to execute as php from inside a string.

For example, try running this--
<?php echo "eval(1+1)"; ?>

The eval function executes the code, but since it's in quotes, as a string, it does nothing. It'll just print that.

injection of any malicious code usually works by first closing the quotes and the command then starting a new one.

anyway, i'll settle for the "there's nothing to worry about" for the time being. i might just send some emails to php.net just to make sure though

**Twey** · 09-18-2006, 05:36 PM

injection of any malicious code usually works by first closing the quotes and the command then starting a new one.

If this were possible in direct input into a script, no server-side script would be safe, since there would be no way to escape it.

**djr33** · 09-19-2006, 12:13 AM

Yeah. Quotes are converted to "safe" characters before being used in strings. You can't just put one in there from a form or something... it'll become a new character.

**mwinter** · 09-19-2006, 10:32 AM

Originally Posted by djr33

Quotes are converted to "safe" characters before being used in strings.

Are you referring to the "magic quotes" feature? That may protect data for certain uses, but for databases and such, the vendor-specific function (such as mysql_real_escape_string) should be used.

For distributed code, magic quotes should never be relied upon as it is a configuration option (I have it disabled: I find it to be annoying, more than anything else). Development should be conducted without it, and code should be written to check the current state of the option and act accordingly.

Mike

Thread: looking for straight answer - what's the safest or joint-safest way to validate data?

Thread Tools

Search Thread

Bookmarks

Bookmarks

Posting Permissions