Posted by David Robley on 10/14/05 06:48

Ben wrote:

> Graham Anderson said the following on 10/13/05 15:31:
>> Is this a bit better ?
>> As directed, I 'sanitized' all user input variables with trim and
>> mysql_real_escape_string.
>>
>> thanks for everyone's patience as I am starting at ground zero
>> concerning security.
>>
>>
>> if( isset($_REQUEST['cmd']) OR isset($_REQUEST['path'] ))
>> {
>> // decrypt and santize variables
>> $cmd = isset($_REQUEST['cmd']) ? cleanser(decrypt($_REQUEST
>> ['cmd'])) : $cmd="null";
>> $path = isset($_REQUEST['path']) ? cleanser(decrypt($_REQUEST
>> ['path'])) : $path="null";
>> .
>> .
>> .
>>
>> the cleanser script:
>> function cleanser( $value )
>> {
>> return mysql_real_escape_string( trim( $value ) ) ;
>> }
>>
>> the 'decrypt' function uses MCRYPT_RIJNDAEL_256 with a $key stored
>> outside the web folder.
>>
>> many thanks :)
>
> My understanding is that mysql_real_escape_string will only work while
> you are connected to mysql. Not sure if that is the case in your
> situation.

That is incorrect. mysql_real_escape_string is a php function, not mysql.




Cheers
--
David Robley

Computer programmers do it byte by byte.

[Back to original message]