473,685 Members | 2,891 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Lemos form class

In reference to the Manual Lemos Form class, does anybody know if the
class does anything to prevent SQL injection attacks or provide any
kind of security by cleaning _POST variables?

Also, does anybody know of functions or classes that clean variables to
prevent SQL injection attacks or other security issues?

Thanks

Jul 17 '05 #1
4 2639
In article <11************ **********@c13g 2000cwb.googleg roups.com>,
"diroddi" <ja***@diroddi. com> wrote:
In reference to the Manual Lemos Form class, does anybody know if the
class does anything to prevent SQL injection attacks or provide any
kind of security by cleaning _POST variables?

Also, does anybody know of functions or classes that clean variables to
prevent SQL injection attacks or other security issues?

Thanks


Well, you have the code. Why not read it and figure that out for
yourself? Such exploits allow unvalidated data to be entered into
fields on a web form and inserted directly into a MySQL database. To
prevent that, you strip various things out like all HTML and Javascript.
You also "escape" various things like single and double quotes.

Does his code do this? What would you need to modify to add this
enhancment?

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #2
Hello,

on 01/04/2005 11:40 PM diroddi said the following:
In reference to the Manual Lemos Form class, does anybody know if the
class does anything to prevent SQL injection attacks or provide any
kind of security by cleaning _POST variables?

Also, does anybody know of functions or classes that clean variables to
prevent SQL injection attacks or other security issues?


Yes, if you use the DiscardInvalidV alues option you can tell the class
to discard values that are not considered valid.

For instance, if you are editing a database record and you need to pass
the record id which is usually an integer value, if an hacker tries to
spoof that value passing something like "0 ; DROP TABLE users;" and you
used ValidateAsInteg er and DiscardInvalidV alues, the class will ignore
the submitted value and restore the default value.

Anyway, SQL injection prevention should be mostly done at SQL execution
time. If you are deailing with text values, you should quote them
properly to escape any characters that have special meaning for your
database server.

Personally, I use Metabase as database abstraction package and so I am
always safe from SQL injection exploits as it comes with functions like
GetTextFieldVal ue() that do the appropriate quoting of text field values
when the query statments are composed. You can also use Metabase
prepared queries support that perform the necessary conversion or
quoting of data values where needed.

http://www.phpclasses.org/metabase
--

Regards,
Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/

Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html
Jul 17 '05 #3
Manuel Lemos wrote:
Personally, I use Metabase as database abstraction package and so I am
always safe from SQL injection exploits as it comes with functions like
GetTextFieldVal ue() that do the appropriate quoting of text field values
when the query statments are composed. You can also use Metabase
prepared queries support that perform the necessary conversion or
quoting of data values where needed.

http://www.phpclasses.org/metabase


I had used Metabase for a while as well and found it to be quite easy to
use. I have recently (in the last year or so) switched over to PEAR::MDB
simply because it is part of PEAR and I don't have to copy its code to
each site I host. Since that is so close to Metabase as far as API is
concerned, there was very little learning curve or porting effort. All
in all, both projects are well planned and are only missing a few
features that I could have used at one point. (I have yet to search in
MDB for previous missing features...)

--
Justin Koivisto - ju****@koivi.co m
http://www.koivi.com
Jul 17 '05 #4
Hello,

on 01/05/2005 01:52 PM Justin Koivisto said the following:
Personally, I use Metabase as database abstraction package and so I am
always safe from SQL injection exploits as it comes with functions
like GetTextFieldVal ue() that do the appropriate quoting of text field
values when the query statments are composed. You can also use
Metabase prepared queries support that perform the necessary
conversion or quoting of data values where needed.

http://www.phpclasses.org/metabase


I had used Metabase for a while as well and found it to be quite easy to
use. I have recently (in the last year or so) switched over to PEAR::MDB
simply because it is part of PEAR and I don't have to copy its code to
each site I host. Since that is so close to Metabase as far as API is
concerned, there was very little learning curve or porting effort. All
in all, both projects are well planned and are only missing a few
features that I could have used at one point. (I have yet to search in
MDB for previous missing features...)


That is because MDB is just a PEARified version of Metabase! ;-)

MDB was meant to be a transition from PEAR::DB to Metabase as it provide
a compatible API, so PEAR::DB users can benefit from true database
independence provided by Metabase without having change their database
calls too much.

If you were using Metabase you probably did not gain anything except
some work in changing your database calls in your applications. From
what I could understand from Lukas work MDB is being deprecated in
favour MDB2 which breaks compatibility with MDB.
--

Regards,
Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/

Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html
Jul 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
1445
by: dr zoidberg | last post by:
Hello, I'm creating registration service with this great form script for creating forms within Smarty. Question is how can I validate 'username' against allready registered users in MySQL? TNX!
1
1883
by: diroddi | last post by:
How do you validate a SELECT field with m. lemos forms validation class. I want to make sure the user has selected a product and not left the field as the default of 'Select One'. $form->AddInput(array( "TYPE"=>"select", "NAME"=>"productid", "ID"=>"productid", "VALUE"=>"SelectOne", "SIZE"=>1,
4
4291
by: Eric | last post by:
Hey Everyone.. I have a form that has approximately 7 text fields and 1 checkbox. Generally when this form is submitted(to itself BTW) it works fine, however, when the checkbox is only field that has been modified/clicked the form doesn't always submit. When it does work, a Stored procedure is passed form variables and updates to the db are made. When it doesn't, its as if the form wasn't submitted, it reloads and resets the page, but...
2
3083
by: Citoyen du Monde | last post by:
Trying to get some ideas on a simple javascript project (to teach myself the language). I want to develop a client-side vocabulary practice application that would allow users to enter their own words, their own definitions plus an example of how the word is used in practice. It'll be all client side with - cookies? to get persistence so that the words won't disappear on me each time the page is closed (which is what happened when I
13
74082
by: genetic.error | last post by:
I'm moving from Vb6 to VB.Net. I have a feeling this has come up before... The VS.Net MSDN file seems to state that the following should work: Form1.Show Form1.Visible = True Form1.Hide Form1.Visible = False Load (Form1)
3
1531
by: John A. Prejean | last post by:
This one has me stumped. I have a base form I am trying to wrap up, but I have one problem. In two functions I am opening a "record detail" form. I would like to keep the code in the base form and pass info to the form telling it which from to actually open. Any ideas how to do this? Here is an example of what I had in mind if the text isn't clear enough... Base Form Function EditRecord() Dim frmRecord as New Form()
19
1963
by: hamil | last post by:
I have a form with one button, Button1, and a Textbox, Textbox1 I have a class, class1 as follows. Public Class Class1 Public DeForm As Object Sub doit() DeForm.Textbox1.text = "It works" End Sub End Class
5
1894
by: timothy.pollard | last post by:
Hi I'm having a bit of bother trying to make a questionnaire do what I want it to. I have put it up on www.web-iq.co.uk/test.htm. Basically the user of the final form (when I've tarted it up) will have to choose 1 answer per line, which are added up in the totals below. I've made four separate forms each of which totalises the number of checked elements in it - ie. column one is its own form, similarly column 2 etc.
6
2270
by: Thom Little | last post by:
Using C# 3.5 I have a form that calls many other sub-forms. Typically there will be five forms open at the same time. If the main form is closed all the sub forms are also closed. Is there a standard way to gain control within the sub-forms to do individual clean-up prior to their removal?
0
8577
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8926
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8761
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
8773
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7589
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6431
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
4523
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
2938
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2198
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.