Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- From: jochem@xxxxxxxxxxxxx (Jochem Maas)
- Date: Wed, 23 Jan 2008 22:51:00 +0100
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:I can read, I saw 2 functions the first time. each function cleans *and* escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.
I'm not accepting "--" at all until someone can show me a real world
case where one would use it, without the intention of SQL injection.
How can it be escaped, anyway?
I might just want to put '--' in a textfield used as the basis for content
for a webpage. just because I want to. the most pertinent example are wikis,
they use '--' as markup (which is usually transformed into an <hr /> when the
results are output for viewing ... but obviously you want the original markup
when editing.
INSERT INTO foo (textfield) VALUES ('--');
nothing to escape in the case of a those chars being part of a string, the escaping
mechanism [hopefully] ensures that a given string will never contain a byte sequence that
the query parser will misinterpret as a sign to end the string (before the last intend quote
delimiter) prematurely and thereby treat the remainder of the input string as SQL.
.
filter each piece of data
validate each piece of data
escape each peice of data for each context in which it will be output.
I see that you have more experience than I!
imho your functions are conceptually wrong and not very robust either -
don't take it as a personal attack - I'm very sure if we sat down with *some*
of my code the same critism could be made to more or lesser extent :-) ...
"getting better all the time" as they sang once ;-)
I never thought that was a personal attack, not for a second. Rather,
I very much appreciate the time you take to explain to me my errors.
And I intend to learn from them. For the time being, I'll leave the
code as it is. However, for future projects, I will make a point of
separating the different functions. Thanks.
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
- References:
- Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- From: "Richard Lynch"
- Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- From: Jochem Maas
- Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- From: Jochem Maas
- Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- From: Jochem Maas
- Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- Prev by Date: Re: [PHP] including files outside of document root
- Next by Date: Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- Previous by thread: Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- Next by thread: Re: [PHP] Using mysql_real_escape_string without connecting to mysql
- Index(es):
Relevant Pages
|
