Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Strip Characters

  1. #11
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Oh, and another thing: why on Earth are you using the root account to access the database?!
    You know that whole privilege-seperation thing I was going on about? Well... using the root account for anything but manual administrative tasks is just about the worst security flaw you can possibly subject your poor database to.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  2. #12
    Join Date
    Apr 2006
    Posts
    190
    Thanks
    3
    Thanked 7 Times in 7 Posts

    Default

    its all Prototype right now

  3. #13
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Doesn't matter, there's no reason to be using the root account.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  4. #14
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    I'm also coding something that uses get (and post) data.

    I have a submit form that will add info to a database.

    There's something wrong with just letting people type something in the form, click submit then do that?

    How about my dynamic page that uses get to get some html from a database? (index.php?page=5, where it would search the database for the row WHERE id=5, then get the html data from that row and display it)

    Isn't this kinda the point of mysql? It's a security risk?

  5. #15
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Isn't this kinda the point of mysql? It's a security risk?
    It is, yes. This is what mysql_real_escape_string() is for.
    How about my dynamic page that uses get to get some html from a database? (index.php?page=5, where it would search the database for the row WHERE id=5, then get the html data from that row and display it)
    And what if someone used:
    Code:
    index.php?page=1;DROP%20DATABASE%20yourdb
    If the query string looked like this:
    Code:
    $sql = "SELECT * FROM table WHERE id=$id;";
    then after it had been parsed, it would look like this:
    Code:
    $sql = "SELECT * FROM table WHERE id=1;DROP DATABASE yourdb;";
    ... and your script would faithfully execute it. If you used mysql_real_escape_string, it would escape the semicolon with a backslash, rendering it harmless and simply returning no results.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  6. #16
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    mysql_real_escape_string is just something you do to an ordinary string?
    doesn't have to be part of the query or anything, right?
    I mean... I can do it before connecting to or doing anything with the database, yes?

    //adding now.

  7. #17
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by Twey
    And what if someone used:
    Code:
    index.php?page=1;DROP%20DATABASE%20yourdb
    Your point is valid, of course, but the answer to that question should be: not a lot.

    CGI programs (and the like) should consider semicolons (&#59 to be equivalent to ampersands (&) for the purpose of separating query string name/value pairs, so the value of $_GET['page'] will equal '1' in PHP.

    Replace ';' with '%3B' and now you're in trouble.

    If you used mysql_real_escape_string, it would escape the semicolon with a backslash, rendering it harmless and simply returning no results.
    True, though that's overkill in this case. As the value of 'page' should only be a number, this can be validated. Non-numeric strings, such as an attempted injection attack, can be rejected. No need for escaping.


    Quote Originally Posted by djr33
    mysql_real_escape_string is just something you do to an ordinary string?
    Yes. After creating a connection (the function uses the connection to determine character encoding), you'd call the function with data you intend to add to the SQL query, and append or insert the return value.

    doesn't have to be part of the query or anything, right?
    No, it mustn't.

    I can do it before connecting to or doing anything with the database, yes?
    No, you must connect first.

    Mike

  8. #18
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,164
    Thanks
    265
    Thanked 690 Times in 678 Posts

    Default

    Thanks.

    Yeah, I figured out where to put it by playing with it.

    Easy, and effective...

    It's setup now.

    by the way, while I used a number my example, the page is actually like "index.php?page=name"... a string. So... yeah, it is important to validate, I guess

  9. #19
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Quote Originally Posted by Mike
    No, you must connect first.
    Well, technically the connection-handler argument is optional, so you can just call it on the string to encode it using the default system character encoding. However, it's not a good idea, since this would reduce portability and could cause problems if MySQL's character encoding was different to that of the system.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  10. #20
    Join Date
    Dec 2004
    Location
    UK
    Posts
    2,358
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Quote Originally Posted by Twey
    Well, technically the connection-handler argument is optional [...]
    The argument can be omitted from the call, but a connection isn't optional. From the manual page:

    link_identifier

    The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If by chance no connection is found or established, an E_WARNING level warning is generated.
    This applies to many of the MySQL functions.

    Mike

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •