I created a comment form which will inserts the comments into a database
and displays them immediately. I want to make sure that its safe from
users inserting unwanted data into the database or executing queries.
Here's my php code, is this done right? Is there anything else I should
to to make it more secure?
$handle = mysql_connect($host,$user,$password) or die ('Sorry, looks
like an error occurred.');
$sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES (NULL,
'$comment', '$name', '$key')";
mysql_real_escape_string($sql);
mysql_select_db($database);
mysql_query($sql);
mysql_close($handle);
Thanks,
Zach Wingo
11  2698 
On Sun, 05 Aug 2007 05:01:54 +0200, zach <wa*******@gmail.comwrote:
I created a comment form which will inserts the comments into a database
and displays them immediately. I want to make sure that its safe from
users inserting unwanted data into the database or executing queries.
Here's my php code, is this done right? Is there anything else I should
to to make it more secure?
$handle = mysql_connect($host,$user,$password) or die ('Sorry, looks
like an error occurred.');
$sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES (NULL,
'$comment', '$name', '$key')";
mysql_real_escape_string($sql);
You've got the point backwards....
$sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES (NULL,
'";
$sql .= mysql_real_escape_string($comment);
$sql .= "', '";
$sql .= mysql_real_escape_string($name);
$sql .= "', '";
$sql .= mysql_real_escape_string($key);
$sql .= "')";
Else, the 'delimiters' (the quotes) for your string will have been escaped
too.
Where do $comment,$name & $key come from BTW? I hope you;re not relying on
register_globals.....
mysql_select_db($database);
mysql_query($sql);
mysql_close($handle);
Is normally done automatically on the end of the request, but as long as
you;re finished with the database for the request a good thing to do.
--
Rik Wasmus
zach wrote:
>
$sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES (NULL,
'$comment', '$name', '$key')";
mysql_real_escape_string($sql);
Normally, you want to escape the string, not the whole query.
$comment = mysql_real_escape_string($comment);
Now create your query.
Rik wrote:
On Sun, 05 Aug 2007 05:01:54 +0200, zach <wa*******@gmail.comwrote:
>I created a comment form which will inserts the comments into a
database and displays them immediately. I want to make sure that its
safe from users inserting unwanted data into the database or executing
queries.
Here's my php code, is this done right? Is there anything else I
should to to make it more secure?
$handle = mysql_connect($host,$user,$password) or die ('Sorry, looks
like an error occurred.');
$sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES
(NULL, '$comment', '$name', '$key')";
mysql_real_escape_string($sql);
You've got the point backwards....
$sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES
(NULL, '";
$sql .= mysql_real_escape_string($comment);
$sql .= "', '";
$sql .= mysql_real_escape_string($name);
$sql .= "', '";
$sql .= mysql_real_escape_string($key);
$sql .= "')";
Else, the 'delimiters' (the quotes) for your string will have been
escaped too.
Where do $comment,$name & $key come from BTW? I hope you;re not relying
on register_globals.....
>mysql_select_db($database);
mysql_query($sql);
mysql_close($handle);
Is normally done automatically on the end of the request, but as long as
you;re finished with the database for the request a good thing to do.
--Rik Wasmus
Ok, something that confuses me is why does mysql_real_escape_string need
a link or connection to the database if its simply escaping a string. I
thought the whole point was to do the work before it ever goes to a
database, so I wouldn't expect it to need a connection.
zach wrote:
Rik wrote:
>On Sun, 05 Aug 2007 05:01:54 +0200, zach <wa*******@gmail.comwrote:
>>I created a comment form which will inserts the comments into a
database and displays them immediately. I want to make sure that its
safe from users inserting unwanted data into the database or
executing queries.
Here's my php code, is this done right? Is there anything else I
should to to make it more secure?
$handle = mysql_connect($host,$user,$password) or die ('Sorry, looks
like an error occurred.');
$sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES
(NULL, '$comment', '$name', '$key')";
mysql_real_escape_string($sql);
You've got the point backwards....
$sql = "INSERT INTO comments (id, comment, name, quotekey) VALUES
(NULL, '";
$sql .= mysql_real_escape_string($comment);
$sql .= "', '";
$sql .= mysql_real_escape_string($name);
$sql .= "', '";
$sql .= mysql_real_escape_string($key);
$sql .= "')";
Else, the 'delimiters' (the quotes) for your string will have been
escaped too.
Where do $comment,$name & $key come from BTW? I hope you;re not
relying on register_globals.....
>>mysql_select_db($database);
mysql_query($sql);
mysql_close($handle);
Is normally done automatically on the end of the request, but as long
as you;re finished with the database for the request a good thing to do.
--Rik Wasmus
Ok, something that confuses me is why does mysql_real_escape_string need
a link or connection to the database if its simply escaping a string. I
thought the whole point was to do the work before it ever goes to a
database, so I wouldn't expect it to need a connection.
I forgot to mention, the comment, name and key variables come from a
form via the post method. And thanks again for the help. Do you have a
job or do you just sit around helping people all day? lol
Message-ID: <ZK******************************@wavecable.comfro m zach
contained the following:
>I forgot to mention, the comment, name and key variables come from a
form via the post method.
So you need to do something like
$comment =mysql_real_escape_string($comment); on each user input.
Of course, you may want to do other validation prior to that. If
someone is trying to hack into your system, why store their attempt? You
might also want to check for content length, or banned text such as URLs
If the value meant to be an integer I use intval() rather than
mysql_real_escape_string()
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
NC wrote:
$sql = 'INSERT INTO comments (comment, name, quotekey) ' .
"VALUES ('$comment', '$name', '$key')";
mysql_real_escape_string($sql);
?? You should not be escaping the entire SQL query like this!
--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.12-12mdksmp, up 45 days, 11:24.]
Command Line Interfaces, Again http://tobyinkster.co.uk/blog/2007/0...nd-line-again/
zach wrote:
The manual only said it needed an open connection, but didn't
explain,(or not very clearly) why it needed it.
But Matt quoted from the manual the text:
"This is needed because the escaping depends on the character set in use by
the server."
This is in the first paragraph of the section in the manual.
Paul Lautman wrote:
zach wrote:
>The manual only said it needed an open connection, but didn't
explain,(or not very clearly) why it needed it.
But Matt quoted from the manual the text:
"This is needed because the escaping depends on the character set in use by
the server."
This is in the first paragraph of the section in the manual.
I read the PHP manual and it said nothing about this, it only mentioned
that in the mysql manual. I am writing a PHP script and so I looked in
the PHP manual. Who would have thought that writing a script in PHP,
people would expect you to look to other manuals for information.
zach
On Sun, 05 Aug 2007 21:46:59 +0200, zach <wa*******@gmail.comwrote:
Paul Lautman wrote:
>zach wrote:
>>The manual only said it needed an open connection, but didn't
explain,(or not very clearly) why it needed it.
But Matt quoted from the manual the text:
"This is needed because the escaping depends on the character set in
use by the server."
This is in the first paragraph of the section in the manual.
I read the PHP manual and it said nothing about this, it only mentioned
that in the mysql manual.I am writing a PHP script and so I looked in
the PHP manual. Who would have thought that writing a script in PHP,
people would expect you to look to other manuals for information.
Euhm:
<http://www.php.net/mysql_real_escape_string>
....
Escapes special characters in the unescaped_string, taking into account
the current character set of the connection so that it is safe to place it
in a mysql_query().
....
link_identifier
The MySQL connection. If the link identifier is not specified, the last
link opened by mysql_connect() is assumed. If no such link is found, it
will try to create one as if mysql_connect() was called with no arguments.
If by chance no connection is found or established, an E_WARNING level
warning is generated.
Well, it's all there, the character set, the connection, the opening of an
anonymous one... I knew it and I have never read the portion in the MySQL
manual that mentions the use of mysql_real_escape_string.
I guess reading is an art.
--
Rik Wasmus
Rik wrote:
On Sun, 05 Aug 2007 21:46:59 +0200, zach <wa*******@gmail.comwrote:
>Paul Lautman wrote:
>>zach wrote:
The manual only said it needed an open connection, but didn't
explain,(or not very clearly) why it needed it.
But Matt quoted from the manual the text:
"This is needed because the escaping depends on the character set in
use by the server."
This is in the first paragraph of the section in the manual.
I read the PHP manual and it said nothing about this, it only
mentioned that in the mysql manual.I am writing a PHP script and so I
looked in the PHP manual. Who would have thought that writing a script
in PHP, people would expect you to look to other manuals for information.
Euhm:
<http://www.php.net/mysql_real_escape_string>
...
Escapes special characters in the unescaped_string, taking into account
the current character set of the connection so that it is safe to place
it in a mysql_query().
...
link_identifier
The MySQL connection. If the link identifier is not specified, the last
link opened by mysql_connect() is assumed. If no such link is found, it
will try to create one as if mysql_connect() was called with no
arguments. If by chance no connection is found or established, an
E_WARNING level warning is generated.
Well, it's all there, the character set, the connection, the opening of
an anonymous one... I knew it and I have never read the portion in the
MySQL manual that mentions the use of mysql_real_escape_string.
I guess reading is an art.
--Rik Wasmus
I read that. That's how I fixed the connection error. I didn't supply a
link identifier or have an open connection to that point in the script.
I just didn't know why it needed the connection. And this, "taking into
account the current character set of the connection", as someone who is
very new that makes no sense. I had no idea what that meant. Which is
why I asked here. Less than 1 month ago I didn't know how to do much
more than echo something to the screen.
Yes, reading is an art if you know what it is you're looking for.
Zach
On Aug 5, 12:45 am, Toby A Inkster <usenet200...@tobyinkster.co.uk>
wrote:
NC wrote:
$sql = 'INSERT INTO comments (comment, name, quotekey) ' .
"VALUES ('$comment', '$name', '$key')";
mysql_real_escape_string($sql);
?? You should not be escaping the entire SQL query like this!
Indeed. Forgot to delete the unnecessary line from the OP's code
after trying to explain why it should be deleted. :) Thanks for
pointing it out!
Cheers,
NC This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: leegold2 |
last post by:
When I look directly in my db field I see a difference between these two
functions. The top line (seebelow) was inserted with addslashes vs. the
bottom line where I used mysql_real_escape_string....
|
by: Michael G |
last post by:
If I only escape the characters that mysql_real_escape_string recognizes, is
this adequate protection against SQL injection attacks?
I have read a number of archived posts plus I've read some of...
|
by: Marcus |
last post by:
Hello,
My php.ini file currently has magic quotes set to On, but I have read
that it is better to code with it off.
Currently with magic quotes on, I only use stripslashes() to properly...
|
by: frizzle |
last post by:
Hi groupies,
I have 2 small questions, which i really want to be sure about:
- does mysql_real_escape_string() prevent any kind of mysq-injection?
- can it put escaped quotes etc in the DB, or...
|
by: comp.lang.php |
last post by:
when trying to use the mysql_real_escape_string() function, the
following warning occurs:
First of all, the user is not 'web' trying to connect to the database,
secondly, what is...
|
by: matthud |
last post by:
<?php
//MAKE IT SAFE
$chunk = $_POST;
$title = $_POST;
$url = $_POST;
$tags = $_POST;
$user = $_POST;
$safe_chunk = mysql_real_escape_string(htmlentities($chunk));
$safe_title =...
|
by: Pugi! |
last post by:
It is by accident that I noticed that I forgot to use
mysql_real_escape_string in part of my webapp.
I tested input with following text : Hélène 51°56'12'' http://www.mysite.org/folder
3 functions...
|
by: ndlarsen |
last post by:
Hello.
It's been a while since I used php. Since then magic quotes has been
deprecated and will be removed when php 6.0 hits. My question is, what
should I be using when submitting data to a...
|
by: roseple |
last post by:
Hi, can anyone please help me why I got this error every I uploaded files.
Error:
Here is the code on the said warning message:
# Gather all required data
$name =...
|
by: lllomh |
last post by:
Define the method first
this.state = {
buttonBackgroundColor: 'green',
isBlinking: false, // A new status is added to identify whether the button is blinking or not
}
autoStart=()=>{
|
by: DJRhino |
last post by:
Was curious if anyone else was having this same issue or not....
I was just Up/Down graded to windows 11 and now my access combo boxes are not acting right. With win 10 I could start typing...
|
by: tracyyun |
last post by:
Hello everyone,
I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
|
by: NeoPa |
last post by:
Introduction
For this article I'll be using a very simple database which has Form (clsForm) & Report (clsReport) classes that simply handle making the calling Form invisible until the Form, or all...
|
by: Teri B |
last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course.
0ne-to-many. One course many roles.
Then I created a report based on the Course form and...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM)
Please note that the UK and Europe revert to winter time on...
|
by: nia12 |
last post by:
Hi there,
I am very new to Access so apologies if any of this is obvious/not clear.
I am creating a data collection tool for health care employees to complete. It consists of a number of...
|
by: NeoPa |
last post by:
Introduction
For this article I'll be focusing on the Report (clsReport) class. This simply handles making the calling Form invisible until all of the Reports opened by it have been closed, when it...
|
by: isladogs |
last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, Mike...
| |
