Reply to Re: Strategy for securing MySQL PHP application - please comment

Your name:

Reply:


Posted by Richard Levasseur on 07/05/06 16:54

Harold Crump wrote:
> Hi Rik --
>
> > > My question - is it enough to pass all user input through the
> > > htmlentities() function call and store the resultant output?
> >
> > No. Use mysql_real_escape_string(), allthough that's not a 100% secure
> > either:
> > http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
>
> My understanding is that htmlentities replaces all types of quotes with
> its HTML equivalent - doesn't that get rid of the whole problem with
> escaping, or not escaping, quotes?
>
> What's the issue with storing the &quote in the database?

You should try to store the data as cleanly as possible. It saves
hassle when writing the output, which is the bulk of the code. If you
are sanitizing the input the best you can, then you shouldn't have to
decode the output from the database. Keep in mind you can't fully,
100% secure it, you can just make it not worth the effort of attacking.

>
> Why bother with mysql_real_escape_string and all its inherent issues if
> we can completely eliminate quotes from making their way into the SQL
> statement?
>
> What am I missing?
>
> > Prepared statements seem the way to go. Use mysqli if available.
>
> Aren't they available only with version 5 and above?
> I am still on an older version.

They became available in MySQL 4.1, which is backwards compatible with
previous client libraries, meaning, you don't need to upgrade PHP. The
only thing you have to do is use the old password hashing function for
the passwords, then everything is dandy (I upgraded from 3.23 to 4.1 a
long time ago and that was the only hiccup I encountered). I highly
recommend upgrading to at least 4.1 for native prepared statements and
subqueries.

>
> > > Also, I would like to replace all semi-colons in input with something
> > > else - but I am not sure what and how.
> >
> > Why?
>
> Semi-colons are statement terminators in SQL.
> They are commonly used in SQL injection attacks to end the current
> statement and insert a malicious statement.
>
> -Harold.

Don't forget, \g is also a statement terminator.

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация