|
|
Posted by Erwin Moller on 02/12/07 15:53
JM Ivler wrote:
> Is there really any time when I don't want to run every _POST and _GET
> through mysql_real_escape_string() before I use that data in accessing
> the database?
Well, if ALL your data posted to you in the form is ment to be inserted in a
mySQL database, then it comes in handy, maybe.
If the data is ment for anything else, it should be treated that way.
I would suggest that you only call mysql_real_escape on data that you are
going to use in your databasestatement, and leave the superglobals alone.
And as Curtis said: If you expect an integer, treat it like that, eg:
$userid = (int)$_POST["userid"];
Always completely scrubbing the POST and GET array sounds like overkill to
me, and could lead to bugs in your code. Just call the real escape when and
where you need it.
On a sidenote (and I don't want to sound teacherlike): Paranoid is
completely acceptable, even desirable, when processing client data in a
database.
Just make sure you know WHERE you do WHAT, and WHY you do it.
I want to emphazise that point because I have seen a LOT of (often bad)
postings in all kind of fora where people post a 'safe insert' without even
paying attention to ini-settings or giving a detailed description of the
situation.
If people start using that code they are lured into a false sense of
security.
Being the PHP coder, you are the last line of defense against hackattacks,
and you should pay attention to each query that contains possibly tainted
data.
Using a function like the one you suggest may easily lead to a 'lazy
attitude' because all your data is safe for insert.
Just my 2 cent.
Regards,
Erwin Moller
>
> In other words, is there a good reason why I shouldn't have a function
> that walks through the POST[] and GET[] arrays and processes the
> mysql_real_escape_string() function against the data in order to ensure
> that there will be no attempts to do an SQL inject?
>
> My thinking is that this function could be run at the top of my page
> init and in doing so it will ensure that there can be no sql injection.
> Am I missing something "very bad" that this could do instead?
>
>
> function cleanall()
> {
> foreach($_POST as $key => $val)
> {
> $_POST[$key] = stripslashes(strip_tags(htmlspecialchars($val,
> ENT_QUOTES))); $$key = stripslashes(strip_tags(htmlspecialchars($val,
> ENT_QUOTES))); }
> foreach($_GET as $key => $val)
> {
> $_GET[$key] = stripslashes(strip_tags(htmlspecialchars($val,
> ENT_QUOTES))); $$key = stripslashes(strip_tags(htmlspecialchars($val,
> ENT_QUOTES))); }
> }
[Back to original message]
|