Posted by Ben on 10/14/05 01:52
Graham Anderson said the following on 10/13/05 15:31:
> Is this a bit better ?
> As directed, I 'sanitized' all user input variables with trim and
> mysql_real_escape_string.
>
> thanks for everyone's patience as I am starting at ground zero
> concerning security.
>
>
> if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
> {
> // decrypt and santize variables
> $cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST
> ['cmd'])) : $cmd="null";
> $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST
> ['path'])) : $path="null";
> .
> .
> .
>
> the cleanser script:
> function cleanser( $value )
> {
> return mysql_real_escape_string( trim( $value ) ) ;
> }
>
> the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored
> outside the web folder.
>
> many thanks :)
My understanding is that mysql_real_escape_string will only work while
you are connected to mysql. Not sure if that is the case in your situation.
- Ben
[Back to original message]
|