FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Sanitising input
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Sanitising input [message #172115 is a reply to message #172103] Mon, 31 January 2011 03:43 Go to previous messageGo to previous message
Ross McKay is currently offline  Ross McKay
Messages: 14
Registered: January 2011
Karma:
Junior Member
On Sun, 30 Jan 2011 16:50:15 -0500, Jerry Stuckle wrote:

> No, that is not the "only way".

Sure, but I reckon it's the OP's best bet (as I stated).

> First of all, it is necessary to include outside data. How, for
> instance, are you going to get the customer's name if you don't allow
> outside data?

There is absolutely no need to include "outside data" in an SQL query.
You can have placeholders in the query and use a prepared statement,
which is what http://bobby-tables.com/ is advocating.

> And properly escaping strings protects against attacks just as well as
> using parameterized statements does.

Absolutely, when done correctly, and never omitted when required, and...
or you can just follow a policy of using prepared statements to present
varying and user-submitted data to the database. I reckon the OP wants
to know how not to shoot him/herself in the foot, and I reckon prepared
statements is the easiest way to prevent that shot.

And when it comes to PHP and its myriad ways to submit queries to the
different databases, I personally prefer to use something like PDO that
presents a largely consistent interface for doing that across the
different databases.

Utilising prepared statements is similar enough across PHP/PDO, ADO,
Java, and .NET that one only needs to understand the basics of using
prepared statements to be capable of writing safe database code on each
of those platforms.

No need to remember that mysql_escape_string() is damaged and that
mysql_real_escape_string() is the safe one, as compared to
mysqli_escape_string() which is safe because it's an alias of
mysqli_real_escape_string(), and that pg_escape_string() is safe and
there isn't a pg_real_escape_string(), and that you might need to use
addslashes() for an ODBC database connection e.g. to Access or MSSQL,
etc.

Albeit if using PDO, you can probably use the quote() function on the
connection for many databases (but not ODBC connections), and not be
concerned about such guff... but even the manual page for that function
advises the use of prepared statements instead:

http://au2.php.net/manual/en/pdo.quote.php

Once the OP becomes expert, they can happily seek out the use-case
appropriate escaping mechanism if they want. But the simple answer to
the OP is for databases, just use prepared statements and you won't come
unstuck.
--
Ross McKay, Toronto, NSW Australia
"The chief cause of problems is solutions" -Eric Sevareid
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Only SPAM!!!
Next Topic: What *tasks* are hard for PHP?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 02:02:23 GMT 2024

Total time taken to generate the page: 0.04649 seconds