| Re: PHP mysql_excape but need to search for those items [message #178370 is a reply to message #178364] |
Mon, 11 June 2012 21:06   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/11/2012 2:38 PM, J.O. Aho wrote:
> Jerry Stuckle wrote:
>> On 6/11/2012 1:01 PM, mrgushi wrote:
>>> Jerry,
>>> This is what I'm working with so far.
>>>
>>> not sure if I've escaped everything I needed too.
>>>
>>> $ENG = mysql_real_escape_string($ENG);
>>> $result = mysql_query("SELECT * FROM br_test WHERE ENG LIKE '$ENG' ");
>>> $row = mysql_fetch_array( $result );
>>>
>>> The $ENG is the input from the search form..
>>> The JS problem is valid but then again it will be in a locked down iOS
>>> app using PhoneGAp. An I'll be using a HTTPs tunnel to the PHP
>>> scripts.. use some sort of cookie with a SSL flag to lock it down. So
>>> someone could JailBreak an iOS app and dig down in my settings and
>>> figure out the JS but I don't think that likely but ur right I want to
>>> take every precaution.
>>>
>> Yes, that will work very nicely (although it's not considered good
>> form to use
>> SELECT * - rather select the individual columns. It will save you
>> heartache
>> later).
>>
>> There are more ways than just jailbreaking the IPhone. There is no
>> guarantee
>> that the request even came from your app on an IPhone. The request can
>> easily
>> be faked in any number of ways. And there's no guaranteed way to "lock it
>> down" and be sure, unless you don't make it ever available via the
>> internet.
>>
>
> Don't forget man in the middle, using https will not protect against that.
>
Actually, it will. HTTPS transmissions are encrypted between the client
and the server using public/private key encryption. That's the whole
purpose of HTTPS.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]