Editing a string to add a \ before a '
This is a discussion on Editing a string to add a \ before a ' within the PHP Language forums, part of the PHP Programming Forums category; "Iván Sánchez Ortega" <i.punto.sanchez--@rroba--mirame.punto.net> wrote in message news:...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-08-2006
|
|||
|
|||
Re: Editing a string to add a \ before a '
"Iván Sánchez Ortega" <i.punto.sanchez--@rroba--mirame.punto.net> wrote in message news:hn3gb3-npg.ln1@blackspark.escomposlinux.org... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > noone wrote: > >>>>$sqli = "insert into tableA values "; >>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")"; >> >> goes without saying... merely a test example of how to enclose the >> varchar data with single-quote "'". > > That's an example of a SQL injection, you should know that, and you should > teach newbies to use RDBMS-specific techniques of escaping alphanumeric > data prior to its usage in any SQL statement instead of posting such an > example. > > This is how it should be done: > how about one line with a little more security: <?php $sqli = "INSERT INTO tableA VALUES ('" . str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," . intval($_POST['integer']) . ")"; ?> > > I will reiterate myself. Never ever trust *any* data entered by *any* > user. > >> You also want to use a platform that is nearly impossible to crack. > > Why should I matter about the platform, if anybody can inject SQL?? > > - -- > - ---------------------------------- > Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net > > Realidómetro: [\.......] Hmmm! No debe de funcionar. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2 (GNU/Linux) > > iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJ qaaQHNiACfVVHo > bKJv8KIXNnXuTjqv3sXXTCc= > =lFc5 > -----END PGP SIGNATURE----- 
|
|
02-23-2006
|
|||
|
|||
|
Re: Editing a string to add a \ before a '
"Jim Michaels" <jmichae3@nospam.yahoo.com> wrote in message news:I66dnW_XP7dWPHTenZ2dnUVZ_t-dnZ2d@comcast.com... > > "Iván Sánchez Ortega" <i.punto.sanchez--@rroba--mirame.punto.net> wrote in > message news:hn3gb3-npg.ln1@blackspark.escomposlinux.org... >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> noone wrote: >> >>>>>$sqli = "insert into tableA values "; >>>>>$sqli .= "('".$_POST['varchar']."',".$_POST['integer']")"; >>> >>> goes without saying... merely a test example of how to enclose the >>> varchar data with single-quote "'". >> >> That's an example of a SQL injection, you should know that, and you >> should >> teach newbies to use RDBMS-specific techniques of escaping alphanumeric >> data prior to its usage in any SQL statement instead of posting such an >> example. >> >> This is how it should be done: >> > > how about one line with a little more security: > <?php $sqli = "INSERT INTO tableA VALUES ('" . str_replace(";","",mysql_real_escape_string($_POST['varchar'])) . "'," . intval($_POST['integer']) . ")"; ?> OOPS! got the functions order-swapped. should strip semicolons out first. otherwise, generated html named entities will be all messed up. it would be even better to do a preg_match("/;/",$_POST'varchar']) to search for injection attempts and lockout the user. <?php $sqli = "INSERT INTO tableA VALUES ('" . mysql_real_escape_string(str_replace(";","",$_POST['varchar'])) . "'," . intval($_POST['integer']) . ")"; ?> > > >> >> I will reiterate myself. Never ever trust *any* data entered by *any* >> user. >> >>> You also want to use a platform that is nearly impossible to crack. >> >> Why should I matter about the platform, if anybody can inject SQL?? >> >> - -- >> - ---------------------------------- >> Iván Sánchez Ortega -i-punto-sanchez--arroba-mirame-punto-net >> >> Realidómetro: [\.......] Hmmm! No debe de funcionar. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.2 (GNU/Linux) >> >> iD8DBQFD5V+t3jcQ2mg3Pc8RAhhBAJ47q4fcUY82N6Fz9iigEJ qaaQHNiACfVVHo >> bKJv8KIXNnXuTjqv3sXXTCc= >> =lFc5 >> -----END PGP SIGNATURE----- > >
|
|
02-26-2006
|
|||
|
|||
|
Re: Editing a string to add a \ before a '
On Tue, 7 Feb 2006 23:46:17 -0800, "Jim Michaels" <jmichae3@nospam.yahoo.com>
wrote: >how about one line with a little more security: > > <?php >$sqli = "INSERT INTO tableA VALUES ('" . >str_replace(";","",mysql_real_escape_string($_POS T['varchar'])) . "'," . >intval($_POST['integer']) . ")"; >?> If you're escaping the value correctly with mysql_real_escape_string and have enclosed that in single quotes, there's no need to remove semicolons. All you're doing is corrupting data; you're not adding any more security. -- Andy Hassall :: andy@andyh.co.uk :: http://www.andyh.co.uk http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
|
|
02-26-2006
|
|||
|
|||
|
Re: Editing a string to add a \ before a '
> Jim Michaels wrote:
> "Jim Michaels" <jmichae3@nospam.yahoo.com> wrote in message > news:I66dnW_XP7dWPHTenZ2dnUVZ_t-dnZ2d@comcast.com... > > OOPS! got the functions order-swapped. should strip semicolons out first. > otherwise, generated html named entities will be all messed up. > it would be even better to do a preg_match("/;/",$_POST'varchar']) to search > for injection attempts and lockout the user. > <?php > $sqli = "INSERT INTO tableA VALUES ('" . > mysql_real_escape_string(str_replace(";","",$_POST['varchar'])) . "'," . > intval($_POST['integer']) . ")"; > ?> Wow, as a PostgreSQL/PHP programmer I can honestly say that I am shocked at some of the responses on this thread. Especially from 'noone'. But honestly, some of you guys know just enough to be dangerous and not much else. Be careful around big red buttons ok? -Robert
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 12:23 AM.
