PHP/MySQL injection

Willem-Jan

Hi all,

Im a newbee in PHP and MySQL. Im wondering if there is a standard
combination of functions u should use on variabels psoted by a form
before u add them to a database. Something like:

$var = trim(addslashes($_POST['test']));

Thanx,
WJ

Jul 25 '05 #1

Subscribe Post Reply

1758

Tim Van Wassenhove

On 2005-07-25, Willem-Jan <wj*******@home.nl> wrote:

Hi all,

Im a newbee in PHP and MySQL. Im wondering if there is a standard
combination of functions u should use on variabels psoted by a form
before u add them to a database. Something like:

$var = trim(addslashes($_POST['test']));

Usually it goes like:
1-) Retrieve values from the $_POST array..

$clean = array();

// we are expecting foo to be an integer..
if (isset($_POST['foo']) && $_POST['foo'] ==
strval(intval($_POST['foo'])
{
$clean['foo'] = $_POST['foo'];
}

2-) Build your query...
$sql .= "foo='" . mysql_real_escape_string($clean['foo']) . "'";
More info at http://www.php.net/mysql_real_escape_string
You might want to consider a class to generate the SQL...
You might want to consider a DBMS that supports prepared statements...

--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>

Jul 26 '05 #2

jason.e.torres

That's a very good question and also a suggestion Willem, Even me, I
do look sometimes for that kinda function on my development. However,
I do believe there's a reason why a built-in function like that doesnt
exist. It 's just to prevent a lockout to a certain function
considering not all requirements doesn't support that solution. "or
you'll end up looking for a function that does this but does not do
that". however, creating a standard function for that based upon the
foundation of YOUR requirement will help your project and projects to
come.

Here's some list to include in your function:

checking the existence of the variable
checking the variable type, eg. Is it numeric, a boolean value or
a string?
checking the length
specifying a the response url if the condition above was not
satisfied
then return the value of the requested parameter.

Well, its up to you on what you'll gonna be including on your function.
Take some time to code for it, you'll see the benefit (And the
problems!) soon when you use it.

Cheers!

Jul 26 '05 #3

Scott Auge

In article <dc**********@news2.zwoll1.ov.home.nl>,
Willem-Jan <wj*******@home.nl> wrote:

Hi all,

Im a newbee in PHP and MySQL. Im wondering if there is a standard
combination of functions u should use on variabels psoted by a form
before u add them to a database. Something like:

$var = trim(addslashes($_POST['test']));

Thanx,
WJ

This is what I use:

http://amduus.com/phpezine/archive/Issue2.pdf

http://amduus.com/phpezine/archive/issue2.zip

Feel free to use it. It also handles (hopefully) cross scripting (aka
someone taps some javascript into the field for the next sucker to run).

--
Available for Hire! http://amduus.com/Resumes/

Jul 26 '05 #4

Colin McKinnon

Willem-Jan wrote:

Hi all,

Im a newbee in PHP and MySQL. Im wondering if there is a standard
combination of functions u should use on variabels psoted by a form
before u add them to a database. Something like:

$var = trim(addslashes($_POST['test']));

Thanx,
WJ

mysql_escape_string()

C.

Jul 26 '05 #5

Peter Chant

Scott Auge wrote:

This is what I use:

http://amduus.com/phpezine/archive/Issue2.pdf

http://amduus.com/phpezine/archive/issue2.zip

So, if I want to do something starting from scratch, I strip out HTML tags,
semi-colons and quotes I am killing off a fair amount of vandalism. This
would involve checking both form fields and stuff from the end of urls (I
can never remember the correct term of variables passed there).

Not crucial, as my application is only used by myself and is not publically
accessable, but it would be nice to have a bit of a go.

Suppose if I were expecting alpha numeric stuff (including hyphen) a regular
expression on [ 0-9a-zA-Z-]* would not be a bad place to start.

Pete

--
http://www.petezilla.co.uk

Jul 26 '05 #6

Andy Hassall

On Tue, 26 Jul 2005 09:22:31 +0100, Colin McKinnon
<co**************@andthis.mms3.com> wrote:

Willem-Jan wrote:
Im a newbee in PHP and MySQL. Im wondering if there is a standard
combination of functions u should use on variabels psoted by a form
before u add them to a database. Something like:

$var = trim(addslashes($_POST['test']));

mysql_escape_string()

Yep, or use a library that emulates placeholders, despite MySQL (production
versions, anyway) not supporting them natively - ADOdb is my favourite. The
correct escaping is then done consistently by the library, saving you from
introducing a problem by the one time you forget to use mysql_escape_string().

--
Andy Hassall / <an**@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool

Jul 26 '05 #7

Similar topics

PHP and secure MySQL injections

by: Matthew Sims | last post by:

I've been performing search after search all over the internet reading up on all topics about making PHP secure with MySQL. There's a lot out there and not many concrete examples on how you should...

PHP

help i'm new to mySQL

by: Kamil | last post by:

i dont know what i'm doing wrong i'm trying to get all the fields from a specific row by user name i'm using php and i got the connection string down and i made a query like this: $query =...

PHP

FORM METHOD=post ACTION='*.php' only sends empty spaces to mysql ?

by: Armin Irger | last post by:

Hi, i'am running a debian sarge with the delivered apache2 mysql and php4. The file "mitarbeiter_eingabe.php" gets the data over a html <FORM> and send it to...

PHP

Safe insert queries for mysql ?

by: frizzle | last post by:

Hi there, I was wondering the folllowing: when i insert something into a mySQL DB -in a guestbook for instance- i mostly use mysql_escape_string($_POST['comment'). now i've seen...

PHP

How to get data into MySQL with PHP?

by: John Oliver | last post by:

I know absolutely nothing about this. I've been banging around various tutorials. Most just sort of skip over this. The closest I came is: http://www.freewebmasterhelp.com/tutorials/phpmysql/4...

PHP

Field Number Limitation into MySQL

by: cover | last post by:

Is there a restriction to the number of fields you can work with in a PHP to MySQL connection? I'd used as many as 15 quite a few times and now I have a form with 34 fields and can't seem to get...

PHP

MySQL prepare statement performance bottom-neck

by: howachen | last post by:

Hi, When doing mysql query (SELECT statements) in php, we often use prepare statement to prevent SQL injection. However, I just noticed that the prepare statements can SLOW the number of queries...

PHP

MySQL table suddenly disappeared and a func table was created

by: wongwaichi | last post by:

Hi, everyone. I am not sure if i am writing in the correct group. But somehow it relates to MySQL, i hope someone can help me. I am working on a web site which is developed by PHP and MySQL,...

MySQL Database

Why isn't my script inserting info into my mysql database?

by: Ajm113 | last post by:

Ok, when I was new to this I had this problem and I bet a lot of other people did when they where new to PHP and Mysql. So this mite be your question; "Ok, no errors or warnings in mysql and php so...

PHP

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in

by: fisherd | last post by:

When i run this code, i keep getting this message; Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\wamp\www\checklogin.php on line 26 i use this code to...

PHP

Basic Javascript concepts

by: aa123db | last post by:

Variable and constants Use var or let for variables and const fror constants. Var foo ='bar'; Let foo ='bar';const baz ='bar'; Functions function $name$ ($parameters$) { } ...

Javascript

Batch import of multiple excel files into the database

by: ryjfgjl | last post by:

If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...

Data Management

Merging data from multiple Excel files

by: ryjfgjl | last post by:

In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...

Data Management

Migrating Website to Cloud - Emmanuel Katto

by: emmanuelkatto | last post by:

Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel

General

Navigating the Data Structures and Algorithms (DSA)

by: BarryA | last post by:

What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...

Algorithms / Advanced Math

Looking to do Android software development, any suggestions? Is flutter better?

by: nemocccc | last post by:

hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?

General

How to build RAID in BIOS?

by: Hystou | last post by:

There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...

Computer Hardware

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...

General

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...

C / C++