|
|
Posted by Jerry Stuckle on 07/07/06 11:57
Harold Crump wrote:
> Hi --
>
> Jerry Stuckle wrote:
>
>>First of all, you need to separate the data from the application. You
>>may very well have multiple applications using the same data.
>
>
>>You should always separate your data from the presentation of the data.
>> "e is part o the presentation, and should be converted after the
>>data is retrieved from the database, not before it's inserted.
>
>
> Yes, that makes sense - point taken.
> So, am I covering all my bases if I use the following strategy -
>
> Use mysql_real_escape_string for all user input that goes into the
> database
>
> Use htmlentities() for all output that goes to a browser presentation
>
> Use html_entity_decode() for all output that goes to non-web
> presentations, like a desktop application or a file stream.
>
> What else do I need to do?
>
> Thanks for your input.
>
> -Harold.
>
You shouldn't need to use html_entity_decode() for output to non-web
presentations, as you shouldn't have html entities in the database anyway.
You should also validate numeric input to ensure it is numeric. It will
prevent other types of SQL injection, i.e.
DELETE FROM table WHERE id=$i;
And the user keys in
'4 OR 1=1'
The result would be:
DELETE FROM table WHERE id=4 OR 1=1;
Deleting everything from your table. The problem doesn't happen in
strings because the entire string would be quoted. Not so for numeric data.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|