Folks,
I've heard of buffer overflows being used/abused by hackers and believe one
method to reduce this from happening is to check the length of my form data
before writing it to my MySQL database.
Is my understanding correct?
At the moment, I pass all my data through htmlentities() before writing to
my database. Is this enough? Should I check each individual columns length
first, or perhaps the overall content length to fit within the maximum
record length?
I found a function called mysql_escape_st ring() and have thought of using
it - but other than strip_slashes() , I don't know the reverse (unless
strip_slashes() is the recommended opposite of mysql_escape_st ring()).
Can someone advise? Much appreciated,
--
Replies please... via the newsgroup, so everyone can learn...
Thanks,
Randell D.
7  7386 
Randell D. wrote: I've heard of buffer overflows being used/abused by hackers and believe one
method to reduce this from happening is to check the length of my form data
before writing it to my MySQL database.
MySQL should cut it for you, if it is too long to fit, but of course it
is smart ti check it before inserting it to table, because you never
know if there is a bug in MySQL.
At the moment, I pass all my data through htmlentities() before writing to
my database. Is this enough? Should I check each individual columns length
first, or perhaps the overall content length to fit within the maximum
record length?
Wouldn't it be smart to check it and inform the user that data doesn't
fit? That is propably better than just cuttting end off.
I found a function called mysql_escape_st ring() and have thought of using
it - but other than strip_slashes() , I don't know the reverse (unless
strip_slashes() is the recommended opposite of mysql_escape_st ring()).
You don't need to reverse mysql_escape_st ring() when reading. Just be
sure to call it before writing, because if you don't, you propably have
the most common security hole in your application.
"Aggro" <sp**********@y ahoo.com> wrote in message
news:4I******** ****@read3.inet .fi... Randell D. wrote:
I've heard of buffer overflows being used/abused by hackers and believe
one method to reduce this from happening is to check the length of my form
data before writing it to my MySQL database.
MySQL should cut it for you, if it is too long to fit, but of course it
is smart ti check it before inserting it to table, because you never
know if there is a bug in MySQL.
At the moment, I pass all my data through htmlentities() before writing
to my database. Is this enough? Should I check each individual columns
length first, or perhaps the overall content length to fit within the maximum
record length?
Wouldn't it be smart to check it and inform the user that data doesn't
fit? That is propably better than just cuttting end off.
I found a function called mysql_escape_st ring() and have thought of
using it - but other than strip_slashes() , I don't know the reverse (unless
strip_slashes() is the recommended opposite of mysql_escape_st ring()).
You don't need to reverse mysql_escape_st ring() when reading. Just be
sure to call it before writing, because if you don't, you propably have
the most common security hole in your application.
Thanks... I have javascript checks on the form field lengths - but my
concern was on folks who try to work their around these tests... I know
MySQL will cut the data but (and I'm probably mixing things up here) I have
read of some bugs being abused on an MS environment whereby hackers somehow
managed to write data after the NULL character (which would normally
terminate a string I think).
Hence I wanted to make sure I was writing the data in some environmentally
friendly way...
Thanks though,
randell d.
Randell D. wrote: Thanks... I have javascript checks on the form field lengths - but my
concern was on folks who try to work their around these tests... I know
MySQL will cut the data but (and I'm probably mixing things up here) I have
read of some bugs being abused on an MS environment whereby hackers somehow
managed to write data after the NULL character (which would normally
terminate a string I think).
If you use javascript to check the strings, you also need to do checking
at the server using php. You need to do this because:
- A lot of people don't have javascript or it isn't enabled, and they
deserver to know the error also, don't they?
- Security rule number 1: Always check that user input is valid.
Note, that you can still use javascript, if you think that you gain more
than lose with it:
- Extra work (implementation and upkeep)
- Some errors with some browsers might appear which won't look good in
the users eyes
+ It might decrease the server load a little, because in normal scenario
server needs to validate data only once (because javascript handles most
user errors without bothering server)
+ It might be more userfriendly in some cases. For example a counter
that counts the characters that user has inputted so that user can see
in real time how much more he/she can write.
Randell D. wrote: "Aggro" <sp**********@y ahoo.com> wrote in message
news:4I******** ****@read3.inet .fi... Randell D. wrote:
I've heard of buffer overflows being used/abused by hackers and
believe one method to reduce this from happening is to check the
length of my form data before writing it to my MySQL database.
MySQL should cut it for you, if it is too long to fit, but of course
it is smart ti check it before inserting it to table, because you
never know if there is a bug in MySQL.
At the moment, I pass all my data through htmlentities() before
writing to my database. Is this enough? Should I check each
individual columns length first, or perhaps the overall content
length to fit within the maximum record length?
Wouldn't it be smart to check it and inform the user that data
doesn't fit? That is propably better than just cuttting end off.
I found a function called mysql_escape_st ring() and have thought of
using it - but other than strip_slashes() , I don't know the reverse
(unless strip_slashes() is the recommended opposite of
mysql_escape_st ring()).
You don't need to reverse mysql_escape_st ring() when reading. Just be
sure to call it before writing, because if you don't, you propably
have the most common security hole in your application.
Thanks... I have javascript checks on the form field lengths - but my
concern was on folks who try to work their around these tests... I
know MySQL will cut the data but (and I'm probably mixing things up
here) I have read of some bugs being abused on an MS environment
whereby hackers somehow managed to write data after the NULL
character (which would normally terminate a string I think).
Alright, I'm going to jump in just to prevent any further confusion. A
buffer overrun is where you allocate a block of memory of fixed size, and
then read in an arbitrary amount of data which may run past the end of the
block of memory you have allocated (the buffer), overwriting memory that
could potentially be executed. Since you have no memory management abilities
in PHP, this is not anything that you as a user of PHP need to be concerned
about. It has nothing to do with writing past a null character, it's simply
a matter of reading in data of arbitrary size into a block of memory of
fixed size.
On Wed, 07 Jan 2004 05:32:05 GMT, "Randell D."
<re************ **********@and. share.com> wrote: At the moment, I pass all my data through htmlentities() before writing to
my database. Is this enough? Should I check each individual columns length
first, or perhaps the overall content length to fit within the maximum
record length?
You should store your data as raw as possible and only use
htmlentities() when outputting it in an HTML context.
I found a function called mysql_escape_st ring() and have thought of using
it - but other than strip_slashes() , I don't know the reverse (unless
strip_slashes( ) is the recommended opposite of mysql_escape_st ring()).
addslashes() and stripslashes()
--
David ( @priz.co.uk )
"Agelmar" <if**********@c omcast.net> wrote in message
news:bt******** ****@ID-30799.news.uni-berlin.de... Randell D. wrote: "Aggro" <sp**********@y ahoo.com> wrote in message
news:4I******** ****@read3.inet .fi... Randell D. wrote:
I've heard of buffer overflows being used/abused by hackers and
believe one method to reduce this from happening is to check the
length of my form data before writing it to my MySQL database.
MySQL should cut it for you, if it is too long to fit, but of course
it is smart ti check it before inserting it to table, because you
never know if there is a bug in MySQL.
At the moment, I pass all my data through htmlentities() before
writing to my database. Is this enough? Should I check each
individual columns length first, or perhaps the overall content
length to fit within the maximum record length?
Wouldn't it be smart to check it and inform the user that data
doesn't fit? That is propably better than just cuttting end off.
I found a function called mysql_escape_st ring() and have thought of
using it - but other than strip_slashes() , I don't know the reverse
(unless strip_slashes() is the recommended opposite of
mysql_escape_st ring()).
You don't need to reverse mysql_escape_st ring() when reading. Just be
sure to call it before writing, because if you don't, you propably
have the most common security hole in your application.
Thanks... I have javascript checks on the form field lengths - but my
concern was on folks who try to work their around these tests... I
know MySQL will cut the data but (and I'm probably mixing things up
here) I have read of some bugs being abused on an MS environment
whereby hackers somehow managed to write data after the NULL
character (which would normally terminate a string I think).
Alright, I'm going to jump in just to prevent any further confusion. A
buffer overrun is where you allocate a block of memory of fixed size, and
then read in an arbitrary amount of data which may run past the end of the
block of memory you have allocated (the buffer), overwriting memory that
could potentially be executed. Since you have no memory management
abilities in PHP, this is not anything that you as a user of PHP need to be
concerned about. It has nothing to do with writing past a null character, it's
simply a matter of reading in data of arbitrary size into a block of memory of
fixed size.
Great - An answer... and one that I can understand too...
Cheers
Randell D.
"David Mackenzie" <me@privacy.net > wrote in message
news:cf******** *************** *********@4ax.c om... On Wed, 07 Jan 2004 05:32:05 GMT, "Randell D."
<re************ **********@and. share.com> wrote:
At the moment, I pass all my data through htmlentities() before writing
tomy database. Is this enough? Should I check each individual columns
lengthfirst, or perhaps the overall content length to fit within the maximum
record length?
You should store your data as raw as possible and only use
htmlentities() when outputting it in an HTML context.
I found a function called mysql_escape_st ring() and have thought of using
it - but other than strip_slashes() , I don't know the reverse (unless
strip_slashes( ) is the recommended opposite of mysql_escape_st ring()).
addslashes() and stripslashes()
--
David ( @priz.co.uk )
Thanks... This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Agathe |
last post by:
Bonjour,
Je souhaite insérer dans une table MySQL des données provenant d'un fichier
texte grâce à un script PHP. Mon fichier porte l'extension "txt" et les
données sont séparées par des ";'.
J'ai créé un script qui upload le fichier texte sur le serveur et qui lit le
contenu de chaque ligne, sépare chaque champ, puis stocke les données...
|
by: Randell D. |
last post by:
Folks,
I've heard of buffer overflows being used/abused by hackers and believe one
method to reduce this from happening is to check the length of my form data
before writing it to my MySQL database.
Is my understanding correct?
At the moment, I pass all my data through htmlentities() before writing to
my database. Is this enough? ...
|
by: jlee |
last post by:
I'm pretty much a newbie on mysql, and I need some help.
I am running mysql Ver 12.22 Distrib 4.0.24, for portbld-freebsd5.4
(i386) on a server hosting an active website.
The site's developer uses his own php shopping cart to receive customer
orders.
The configuration was done via cPanel with no external modifications -
which produced...
|
by: PHP_Paul |
last post by:
Ok, I'm trying to poineer into the wonderful area of PHP/MySQL programming, but I'm having some difficulties. http://www.paulhq.com/php/freepage.html should register, but when anyone fills something out, it returns a MySQL error: Could not insert data because You have an error in your SQL syntax; check the manual that corresponds to your MySQL...
|
by: Ike |
last post by:
Recently, I began using a different MySQL verver (i.e. different machine as
well as different version#, going from 4.12a to 4.1.9 max).
The following query used to work:
select firstname, lastname, from associates where username like 'nancianne'
but now fails with:
"You have an error in your SQL syntax; check the manual that corresponds...
| | |
by: eholz1 |
last post by:
Hello Members,
I am setting up a photo website. I have decided to use PHP and MySQL.
I can load jpeg files into the table (medium blob, or even longtext)
and get the image(s) to display without a problem. I am using
chunk_split(data) and the base64_encode and base64_decode on the files.
I do a select from the database, and then echo the...
|
by: mantrid |
last post by:
Hello
Can anyone point me in the right direction for the way to read a text file a
line at a time and separate the fields on that line and use them as data in
an INSERT to add a record to a mysql table. Then read the second line in
text file and repeat.
Thanks for your time
Ian
|
by: Atli |
last post by:
You may be wondering why you would want to put your files “into” the database, rather than just onto the file-system. Well, most of the time, you wouldn’t.
In situations where your PHP application needs to store entire files, the preferred method is to save the file onto the server’s file-system, and store the physical location of the file in...
|
by: TechnoAtif |
last post by:
<?php
include "dbconnect.php";
include "commonFunc.php"; ?>
<!---------------------------------->
<table width="80%" border="1" cellpadding="2" cellspacing="0">
<tr >
<td colspan="2"><p>
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| |
