A user writes this sentence: "It was the New Urbanist's nightmare of
sprawl run amok."
They input that and my PHP script hits it with addslashes() and then
the sentence gets put in the database. A slash is likely inserted in
front of the quote mark in "Urbanist's ".
Later the user runs a search of the database for "New Urbanist's
nightmare".
Even if I run this query using LIKE, nothing will come back?
Should I hit the text with addslashes before I run the search?
How do most coders handle this?
13  2028 
On 28 Sep 2004 12:02:02 -0700, lk******@geocit ies.com (lawrence) wrote: A user writes this sentence: "It was the New Urbanist's nightmare of
sprawl run amok."
They input that and my PHP script hits it with addslashes() and then
the sentence gets put in the database. A slash is likely inserted in
front of the quote mark in "Urbanist's ".
If it is, it should only be for databases that stuff values into SQL (a poor
design choice). For example, MySQL.
The idea is that this then results in the original value being inserted into
the database - the addslashes() is only to encode it as being suitable for the
SQL statement, the slashes should not be stored. If they are, it's been
addslashed too many times.
Later the user runs a search of the database for "New Urbanist's
nightmare".
Even if I run this query using LIKE, nothing will come back?
Only if you've mangled the data by escaping too many times.
Should I hit the text with addslashes before I run the search?
It depends on your database. Maybe you would, but only so that the un-slashed
version gets searched. This can get complicated further because LIKE may
support escapes as well - so this may become database specific.
How do most coders handle this?
<rant>
Hopefully by using a database or database abstraction layer that supports
placeholders and binding data separately from the SQL statement, avoiding the
whole issue entirely and reducing the risk of making a mistake and leaving
yourself open to SQL injection, and depending on database, severe performance
issues.
</rant>
--
Andy Hassall / <an**@andyh.co. uk> / <http://www.andyh.co.uk >
<http://www.andyhsoftwa re.co.uk/space> Space: disk usage analysis tool
lawrence schrieb: Later the user runs a search of the database for "New Urbanist's
nightmare".
Even if I run this query using LIKE, nothing will come back?
Should I hit the text with addslashes before I run the search?
Yes. Or if you use MySQL use mysql_escape_st ring().
How do most coders handle this?
Some don't escape the special chars. They are likely to be under attack
very fast.
Regards,
Matthias
*** lawrence escribió/wrote (28 Sep 2004 12:02:02 -0700): They input that and my PHP script hits it with addslashes() and then
the sentence gets put in the database. A slash is likely inserted in
front of the quote mark in "Urbanist's ".
Later the user runs a search of the database for "New Urbanist's
nightmare".
Even if I run this query using LIKE, nothing will come back?
Should I hit the text with addslashes before I run the search?
Maybe I don't understand what you mean, but I can't see what the problem
is. Escaping quotes doesn't affect the content, it's just a way to allow
you to type quotes inside a quoted string.
$foo='O\'Brian' ;
This code creates a string with O'Brian as content, not O\'Brian.
If you don't escape the quotes when composing your SQL query, you'll just
get a syntax error:
SELECT * FROM table WHERE sentence LIKE 'New Urbanist's nightmare'
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--
Andy Hassall <an**@andyh.co. uk> wrote in message news:<65******* *************** **********@4ax. com>... How do most coders handle this?
<rant>
Hopefully by using a database or database abstraction layer that supports
placeholders and binding data separately from the SQL statement, avoiding the
whole issue entirely and reducing the risk of making a mistake and leaving
yourself open to SQL injection, and depending on database, severe performance
issues.
</rant>
That's tantalizing but doesn't actually answer the question. What do
you normally do? Which database do you use? How do you insert data?
Can you give me an example so I have some sense of what the
alternative looks like?
Matthias Esken <mu************ ******@usenetve rwaltung.org> wrote in message news:<cj******* ***@usenet.eske n.de>... How do most coders handle this?
Some don't escape the special chars. They are likely to be under attack
very fast.
How would outsiders know? If it is an open source project (and mine
is) then they outsiders could read the code and see the weakness, but,
speaking hypothetically, if I wasn't giving my code away for free, how
would outsiders find out about the weakness? Perhaps you mean a
malicious internal user would eventually launch an attack?
"Alvaro G. Vicario" <kA************ *****@terra.es> wrote in message news:<qi******* *************** ******@40tude.n et>... Should I hit the text with addslashes before I run the search?
Maybe I don't understand what you mean, but I can't see what the problem
is. Escaping quotes doesn't affect the content, it's just a way to allow
you to type quotes inside a quoted string.
$foo='O\'Brian' ;
This code creates a string with O'Brian as content, not O\'Brian.
Maybe I should play around with my Linux box more and then I'd
understand these things, but logging into my MySql database over the
web using phpMyAdmin I see the slashes still there, or if I pull text
out of the database and don't hit them with stripslashes then the
slashes are still there. I've the impression that the slashes are
stored in the database.
*** lawrence escribió/wrote (29 Sep 2004 12:01:42 -0700): Maybe I should play around with my Linux box more and then I'd
understand these things, but logging into my MySql database over the
web using phpMyAdmin I see the slashes still there, or if I pull text
out of the database and don't hit them with stripslashes then the
slashes are still there. I've the impression that the slashes are
stored in the database.
There's a PHP configuration issue that's pretty confusing. PHP has some
options to automatically add slashes to form variables. It's called "magic
quotes". It can be the reason for finding slashes where there shouldn't be.
Check the output of phpinfo() for magic quotes.
Also, it's interesting to note that not al database management systems use
the same escaping system. MySQL uses \' while SQL server uses ''
(duplicating quotes).
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--
*** lawrence escribió/wrote (29 Sep 2004 11:59:52 -0700): How would outsiders know?
If you have a computer with a public IP you're getting all sort of random
attack attempts all the time. Some people _are_ bored.
In any case, if you are willing to break a web site SQL injection is
probably your first guess. Also, not escaping quotes can cause errors not
related to attacks: a user can type a quote for many reasons.
--
-+ Álvaro G. Vicario - Burgos, Spain
+- http://www.demogracia.com (la web de humor barnizada para la intemperie)
++ Las dudas informáticas recibidas por correo irán directas a la papelera
-+ I'm not a free help desk, please don't e-mail me your questions
--
On 29 Sep 2004 11:57:18 -0700, lk******@geocit ies.com (lawrence) wrote: Andy Hassall <an**@andyh.co. uk> wrote in message news:<65******* *************** **********@4ax. com>... >How do most coders handle this?
<rant>
Hopefully by using a database or database abstraction layer that supports
placeholders and binding data separately from the SQL statement, avoiding the
whole issue entirely and reducing the risk of making a mistake and leaving
yourself open to SQL injection, and depending on database, severe performance
issues.
</rant>
That's tantalizing but doesn't actually answer the question. What do
you normally do? Which database do you use? How do you insert data?
Can you give me an example so I have some sense of what the
alternative looks like?
I use Oracle at work: http://www.php.net/manual/en/ref.oci8.php
An examples of using placeholders is here: http://www.php.net/manual/en/function.ocibindbyname.php
The key is that you can bind any value you like and don't even need to think
about escaping - the value you bind is what is stored, end of story.
MySQL doesn't support placeholders natively, but you can use a database
abstraction layer on top to emulate them, giving you the extra safety that they
provide:
e.g. http://pear.php.net/manual/en/packag...on.prepare.php
Or write your own - anything to avoid embedding values directly into SQL
directly in various places - better to have it all in one place, so if escaping
needs to be done it's done behind the scenes consistenly, and not directly by
the caller where it might be forgotten or done wrong.
--
Andy Hassall / <an**@andyh.co. uk> / <http://www.andyh.co.uk >
<http://www.andyhsoftwa re.co.uk/space> Space: disk usage analysis tool This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: JW |
last post by:
It took me a lot of trial and error to get text from an HTML form into MySQL to
account for quotation marks being entered. I came up with the following. It
works fine but I was wondering if this is the best way. Here are the relevant
snippets:
1) User enters data via post.html:
<form method="POST" action="post_confirm.php" name="form">
<textarea NAME="comments" ROWS=4 COLS=60 onkeyup="textLimit(comments,
800);"></TEXTAREA>
|
by: ian justice |
last post by:
Before i post actual code, as i need a speedyish reply.
Can i first ask if anyone knows off the top of their head, if there is
a likely obvious cause to the following problem.
For the moment i've reduced my form request to a simple text string
entry, instead of my desired optional parameters. As i have been stuck
with a single unfathomable glitch for over a year.
Basically, if i enter queries such as ;
"select * from table" "select * from...
|
by: Craig Thomson |
last post by:
I was wondering what people do with text provided by the user in a
form. Some cleaning needs to be done at some stage if you are going to
be putting it in a database or displaying it etc. But when is the time
to do that?
Do you clean it as soon as you get it?
Do you pass around the original text and clean it when you use it?
What about magic slashes? You need to addslashes before using in a db
statement, but you need to strip them...
|
by: BigDadyWeaver |
last post by:
I am using the following code in asp to define a unique and
unpredictable record ID in Access.
<%
'GENERATE UNIQUE ID
Function genguid()
Dim Guid
guid = server.createobject("scriptlet.typelib").guid
guid=Left(guid,instr(guid,"}"))
genguid=guid
|
by: DataBard007 |
last post by:
Hello Access Gurus:
I use Win98SE and Access97.
I just built a simple Access97 application which holds all contact
information for my personal contacts, such as first name, last name,
address, city, state, etc.
When the user wants to search for a particular record, he does two
things:
1. On the form is a text box on which he enters the text he is searching
for.
| | |
by: Bo Yang |
last post by:
Hi ,
I am reading some boost code now , and
I got confused by the following code in the
add_reference type trait .
template <class TT&(* is_reference_helper1(wrap<T>) )(wrap<T>);
char is_reference_helper1(...);
template <class Tno_type is_reference_helper2(T&(*)(wrap<T>));
yes_type is_reference_helper2(...);
|
by: tomjones75 |
last post by:
dear community,
i want to search the content of all fields in one table in a access database.
it already works for the content of one field in the table.
please take a look at the code in the resultpage:
<%
|
by: Neil |
last post by:
I posted a few days ago that it seems to me that the Access 2007 rich text
feature does not support: a) full text justification; b) programmatic
manipulation.
I was hoping that someone might know one way or the other whether that was
true or not, or could point me to an article or help text that would. What I
have seen so far online and in Access 2007 help seems to confirm the above.
But that (or at least (b)) seems incredible that it...
|
by: pezholio |
last post by:
Hi,
I'm trying (and failing) to find a safe method that returns records from a database if they have quotes in them, for example, if I generate a query like this:
SELECT * FROM foo WHERE bar LIKE 'here's pezholio's record with quotes'
Obviously it will be unsafe as I haven't escaped the quotes. I've tried storing the records with slashes already in them and then searching ie:
SELECT * FROM foo WHERE bar LIKE 'here/'s pezholio/'s...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |
