Posted by Andy Hassall on 08/17/05 21:47

On Tue, 16 Aug 2005 22:05:29 +0200, Archibald <usenet0@poczta.onet.pl> wrote:

>2) mysql user input checking. User can affect database directly by
>registration (username, password) and messages to other users (subject
>and text). This can mess the database if they put for example "'" symbol
>in their username. What are the other dangerous characters?

Properly escaped, no character is dangerous.

>How should I
>protect/limit username and message text (I understand I should use
>functions like strip_tags() or similiar, but there are plenty of such
>functions and I don't know which to choose).

mysql_escape_string() is the manual way of doing it, but save yourself the
risk of forgetting to escape characters by using a database library. My
recommendation is ADOdb as it has a decent interface, and is a thin enough
layer not to affect performance noticeably.

http://adodb.sourceforge.net/

ADOdb emulates placeholders for databases that don't have them natively (e.g.
MySQL), so data and SQL are properly separated and any escaping is done behind
the scenes if required. So you'd do something like:

$db->Execute(
'insert into wibble (x, y) values (:1, :2)',
array($x, $y)
);

You do not escape or modify $x or $y in any way - the library does whatever is
required to get those values into the database safely.

--
Andy Hassall / <andy@andyh.co.uk> / <http://www.andyh.co.uk>
<http://www.andyhsoftware.co.uk/space> Space: disk usage analysis tool

[Back to original message]