Posted by Jerry Stuckle on 07/05/06 01:45

Harold Crump wrote:
> Hi Rik --
>
>
>>>My question - is it enough to pass all user input through the
>>>htmlentities() function call and store the resultant output?
>>
>>No. Use mysql_real_escape_string(), allthough that's not a 100% secure
>>either:
>>http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
>
>
> My understanding is that htmlentities replaces all types of quotes with
> its HTML equivalent - doesn't that get rid of the whole problem with
> escaping, or not escaping, quotes?
>
> What's the issue with storing the &quote in the database?

What if you want to use the data for other than displaying on the web? For instance, another
(non-web) application is going to print information from the database? It might even be a C/C++
application, for instance.
>
> Why bother with mysql_real_escape_string and all its inherent issues if
> we can completely eliminate quotes from making their way into the SQL
> statement?
>

Because mysql_real_escape takes the current charset into account when performing its operations.

> What am I missing?
>

The fact that not everything in the world is html based?

>
>>Prepared statements seem the way to go. Use mysqli if available.
>
>
> Aren't they available only with version 5 and above?
> I am still on an older version.
>

True, but you can secure your code without prepared statements. Additionally, prepared statements
have additional overhead.

>
>>>Also, I would like to replace all semi-colons in input with something
>>>else - but I am not sure what and how.
>>
>>Why?
>
>
> Semi-colons are statement terminators in SQL.
> They are commonly used in SQL injection attacks to end the current
> statement and insert a malicious statement.
>

So? A semicolon is perfectly valid within a string. Properly escaping your input data will take
care of the problem as any attempt to insert a semicolon and an additional statement will just give
an error due to invalid syntax.

> -Harold.
>


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]