|
Posted by areguera on 10/03/80 11:24
sorry...here is the message
On 8/19/05, areguera <alain.reguera@gmail.com> wrote:
> On 8/19/05, Ben Ramsey <ramsey@php.net> wrote:
> > Alain Reguera Delgado wrote:
> > > you could try:
> > >
> > > 1. get all form variables into an array
> >
> > fine
> >
> > > 2. validate values
> >
> > Good, but do this step as you put the values into a separate array,
> > don't put all the values into the array first and then validate them
> > later... make sure the input received is input expected and then save
> > only the input to the array that passes the validation/filtering tests
>
> yes .. that's much better .. :)
>
> >
> > > 3. convert all values into entities using htmlentities()
> >
> > Why do you want to do this before saving to the database?
>
> Ben, I got some troubles when moving database from one server to
> another, all Latin characters disappear, and the info turns a mess.
> Thought for a moment a server's language configuration setting. I was
> wondering by days to take this way, I thought if someone else wants
> the application and occurs the same because his configuration is not
> like mine. Then that solution came to me. Felt no matter what version
> or configuration of mysql or other db is used or what latin char is
> inserted, the data always be there for the web, in the language it
> speaks.
>
> This step has
> > absolutely no bearing on preparing the statement for insertion into a
> > database. It won't protect against SQL injection.
>
> Also, you will never
> > be able to do anything with this data other than use it for HTML output
> > (unless you try to reverse the entities, which seems like an awful lot
> > of work to me).
>
> yes, I don't like either...its not flexible.
>
> It's best to save the raw data as entered and escape it
> > (with htmlentities() or something else) ONLY on output.
>
> that was the first way I used to go... but after that problem, I am not sure
>
> >
> > As I mentioned in my last post to this thread, the best way to escape a
> > string for insertion into a database (and protect against SQL injection)
> > is to use the escape function for the particular database --
> > mysql_real_escape_string() in this case. You should never use
> > htmlentities() to escape data before saving it to a database. Do that
> > only after you've pulled data from the database and are outputting it
> > somewhere (like on a Web page).
> >
> > > 4. build sql query (do some tests 'til get it right)
> > > 5. execute the built query (with proper db function)
> > >
> > > by now, commas aren't a problem, they are limited between sql query's
> > > quotes. If some quotes are inserted as value they are previously
> > > converted to its entities and do not break the sql query.
> >
> > This is why you use mysql_real_escape_string(), etc. -- not htmlentities().
> >
> > > as previously said in this thread, the problem is on quoting and maybe
> > > on converting the values to entities, to prevent some quote break the
> > > sql structure.
> >
> > You don't need to convert the values to HTML entities when saving to a
> > database. That's not going to prevent this problem.
>
> could you suggest something about Latin characters and portability?.
>
> >
> > --
> > Ben Ramsey
> > http://benramsey.com/
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
Navigation:
[Reply to this message]
|