Secureing the data

Are this code is secure or what?
what mysql_real_escape_string do in this code i did't see any change in the code in the database?
If not how can i insert it into the database with out harm my database?
and what are the code if he inserted into the database can harm it to test it?

[PHP]
<?php
mysql_select_db("Test",mysql_connect("localhost"," root",""));
$data=mysql_real_escape_string("<?php echo Hello ?>");
if(mysql_query("INSERT INTO test VALUES ('$data','$data')"))
{
echo "True";
}else{
echo "False";
}
$result=mysql_query("SELECT * FROM TEST");
$array=mysql_fetch_assoc($result);
echo $array['name']."<br />";
?>
[/PHP]

re: Secureing the data

Hi,

Take a look at the following article:

XSRF: What is it, How does it work, and how can you thwart it

Also you can do simple things like remoive invalid characters from any data you load to the database. By sending wvery data item through a function similar to this:
[php]
function secure($data, $plIsEmail)
{
// prevent the majority of attaccks by removing certain elements from the data. Not to be used if the target field is to store HTML in it.
if ($plIsEmail)
{
$replace = array('<' => '' , '>' => '' , '&' => '' , ',' => '' , '*' => '' , '/' => '' );
}
else
{
$replace = array('<' => '' , '>' => '' , '&' => '' , '.' => '' , ',' => '' , '*' => '' , '/' => '' , '@' => '');
}

$data = strtr($data , $replace);
return $data;
}
[/php]

I must admit that I got the basis for this function from someone here on TSDN so I do not take credit for it. Unfortunatley I can't remember who or where, but thaks to whoever it was that wrote this, it works well.

This is one step in the process, reading the article will help even more.

Cheers
nathj

re: Secureing the data

Thank you for this article but it did't answer my question i want to know when i insert data into the database like :
[PHP
]<?php
//data
?>
[/PHP]

are that code can harm the database ?

re: Secureing the data

I am assuming (and perhaps thats my problem) that you are talking about taking data from a form on a web site into your database? In which case someone can load code into the form that could cause problems to your database. Hence I recommended reading the article and removing the potential for harm from any information passed into the database.

I think that I am mis-understanding what you are asking. Do you have any code you could show me so that I can get a better understaning of the question being asked?

Cheers
nathj

re: Secureing the data

my question is : i want to enter php tags into my database like when i write php tags into this forum, how can i secure that ?

re: Secureing the data

I understand now.

What I would do is replace the tags with something else, then when you read from the the table you can add the php tags in and now how to format the output. It then just becomes a case of documenting the parsing rules. So when someone writes to the database the tags a rereplaced with the safe equivalent, then when they read from the database they safe equivalent is replaced with the tags.

I am working on a project where I intend to allow html tags in the database. I am going to secure this by only allowing certain people (namely me) access to that functionality. In this case I will just load them as they are.

If you know who is going to be loading the information to the DB then I think you can just add the tags as they are and no harm is done. The potential for trouble comes when you read from the database so that's where you need to be most on your guard.

Cheers
nathj

re: Secureing the data

You don't need to. The database can't run PHP code, and PHP is only parsed server-side. If you were to try to echo that out, it'd just be displayed as is. No parsing would be done.

As for security, look at the article nathj recommended. Also, make sure you always use mysql_real_escape_string() going into the database, and anytime that you don't want HTML and such, use htmlspecialchars() when getting data out of the database.

And for your earlier question mysql_real_escape_string() stops SQL injection. The data you were putting into it was not an example of SQL injection, and was perfectly fine as is.