| Author |
Message |
natriss102
Bushi
Joined: 23 Oct 2004
Posts: 256
Location: The plains of Kansas
|
 Posted: Sun Mar 12, 2006 2:14 pm Post subject: so don't you bring me (or rather my server) down |
 |
|
down by socialburn
for my project, it's enevitable that i'm going to have to pass user inputed data from forms, and much of it to mysql. In general, what problems should I try to prevent from occuring because of that. What venerabilies ought i watch out for, not just mysql? I think i prevented a mysql injection attack by adding slashes to all the data. |
|
| Back to top |
|
 |
Ankou
Spam Mod
Joined: 22 Oct 2004
Posts: 1201
Location: Wisconsin
|
| Posted: Sun Mar 12, 2006 4:31 pm Post subject: |
|
|
The addslashes() and stripslashes() functions are nice, but have a peek at mysql-real-escape-string() as well (http://us2.php.net/manual/en/function.mysql-real-escape-string.php). I believe on that page they have a "Best Practice" function or something that's a good place to start.
Taking user input always comes with a lot of checking -- if you want to make it all super secure, but do yourself a favor and make sure that when accepting user input that you make it easy on yourself. Make sure not to allow users a chance to mess anything up and use input fields that can't be messed with. For example if you need to have them input the state they live in, use a drop down menu, or if you use a text field limit it to 2 characters.
Make use of regular expressions to check data as well. If you need a person's first and last name, check to make sure the info being passed only contains A-Za-z.
But really if you're just using the data to be displayed on a page it's not a huge deal. But using the variables in a MySQL query means making use of the functions listed above. You may want to check a little more to make sure that the info is fine for your MySQL table fields, but those are usually pretty simple checks.
BTW -- if you do use mysql-real-escape-string() make sure to notice on the manual page for it:
| Quote: | | Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE. |
|
|
| Back to top |
|
|
natriss102
Bushi
Joined: 23 Oct 2004
Posts: 256
Location: The plains of Kansas
|
| Posted: Mon Mar 13, 2006 1:10 pm Post subject: |
|
|
I used the best practice function as well. However, I don't really like that there must be a mysql function beforehand. i didn't realize that until i started getting loads of warnings  I'll fix it up. Other then mysql is there anything i should watch out for? |
|
| Back to top |
|
|
Ankou
Spam Mod
Joined: 22 Oct 2004
Posts: 1201
Location: Wisconsin
|
| Posted: Mon Mar 13, 2006 2:21 pm Post subject: |
|
|
As for that best practice function, well it's nice to use if you're working with MySQL. If you're not then you really don't need to worry about escaping some of those characters (say for output in a web browser). You can modify that function to work for both MySQL queries and non-MySQL queries easily enough.
| natriss102 wrote: | | Other then mysql is there anything i should watch out for? |
I guess it depends on the project and what you're going to do with it. I mean if you're looking to allow others to use the code then pay attention to the functions you're using. If you're working with PHP 5 you may want to make sure that you have alternative methods for anyone using PHP 4. So watch your versions - PHP, MySQL, and watch for any other function libraries that you may use that aren't common to PHP releases.
Classes and your functions -- classes in PHP differ a b/n PHP 4 and 5 so if you use those, make sure you're going with the one you need (for yourself and if you plan to release the code). User made functions -- not a lot to watch out for here really, just make sure that you're creating and using them properly. Meaning allow for quick updates later if you feel you'll need them. Store functions in a separate file, create them so you can reuse them for other projects, etc.
Document (comment) your code. May seem obvious ubt sometimes for "simple" projects we don't do that. I've dug up some old, "simple", un-commented PHP code and have spent a few hours looking it over. It's a WHOLE lot easier to comment as you go than to retrace your steps later.
Variables - you don't need variables for everything so don't go overboard with them. At the same time making use of the define() function can be a great help for variables that you know you'll need a lot and don't want to risk making changes to somewhere in the program.
Error checking and warnings -- You're dealing with user input so error check as much as you can. Also check your php.ini file and look for the error_reporting level - for testing and such it may be a good idea to set that to E_ALL so you get errors, warnings and notices to help you check what's going on.
Depending on the scope of the project you may want to make sure that you've planned everything out. Come up with a project plan, design phases, testing, etc. That's a whole new topic though, so unless you really need more details on that one, I think something basic should be okay (I'm sure others may disagree).
I feel like I'm missing something that's important but off the top of my head I think I've hit on all I can without knowing more about what you're doing and/or planning to do with the code. If something else comes to me, I'll be back.  |
|
| Back to top |
|
|
|
Powered by phpBB © 2001, 2002 phpBB Group
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
