|
|
Posted by Ben Ramsey on 10/19/29 11:24
Alain Reguera Delgado wrote:
> you could try:
>
> 1. get all form variables into an array
fine
> 2. validate values
Good, but do this step as you put the values into a separate array,
don't put all the values into the array first and then validate them
later... make sure the input received is input expected and then save
only the input to the array that passes the validation/filtering tests
> 3. convert all values into entities using htmlentities()
Why do you want to do this before saving to the database? This step has
absolutely no bearing on preparing the statement for insertion into a
database. It won't protect against SQL injection. Also, you will never
be able to do anything with this data other than use it for HTML output
(unless you try to reverse the entities, which seems like an awful lot
of work to me). It's best to save the raw data as entered and escape it
(with htmlentities() or something else) ONLY on output.
As I mentioned in my last post to this thread, the best way to escape a
string for insertion into a database (and protect against SQL injection)
is to use the escape function for the particular database --
mysql_real_escape_string() in this case. You should never use
htmlentities() to escape data before saving it to a database. Do that
only after you've pulled data from the database and are outputting it
somewhere (like on a Web page).
> 4. build sql query (do some tests 'til get it right)
> 5. execute the built query (with proper db function)
>
> by now, commas aren't a problem, they are limited between sql query's
> quotes. If some quotes are inserted as value they are previously
> converted to its entities and do not break the sql query.
This is why you use mysql_real_escape_string(), etc. -- not htmlentities().
> as previously said in this thread, the problem is on quoting and maybe
> on converting the values to entities, to prevent some quote break the
> sql structure.
You don't need to convert the values to HTML entities when saving to a
database. That's not going to prevent this problem.
--
Ben Ramsey
http://benramsey.com/
Navigation:
[Reply to this message]
|