I know how to take data from a form and insert it into MySql. For a
comment form on something like a blog or news article, is using
addslashes() all that is needed to prevent unwanted malicious user data?
There's got to be something more right? Can anyone tell me what I need
to do or point me to some tutorial and/or articles?
Thanks
Zach W.
..oO(zach)
>I know how to take data from a form and insert it into MySql. For a
>comment form on something like a blog or news article, is using
>addslashes() all that is needed to prevent unwanted malicious user data?
No. addslashes() is hardly ever necessary. Of course its counterpart
stripslahes() is required to get the "raw" data if magic quotes are
enabled on the server.
> There's got to be something more right? Can anyone tell me what I need
>to do or point me to some tutorial and/or articles?
Use mysql_real_escape_string() or - even better - prepared statements,
as provided by the PDO extension. And google for "SQL injection".
Micha
Michael Fesser wrote:
> .oO(zach)
>
>> I know how to take data from a form and insert it into MySql. For a
>> comment form on something like a blog or news article, is using
>> addslashes() all that is needed to prevent unwanted malicious user data?
>
> No. addslashes() is hardly ever necessary. Of course its counterpart
> stripslahes() is required to get the "raw" data if magic quotes are
> enabled on the server.
>
>> There's got to be something more right? Can anyone tell me what I need
>> to do or point me to some tutorial and/or articles?
>
> Use mysql_real_escape_string() or - even better - prepared statements,
> as provided by the PDO extension. And google for "SQL injection".
>
> Micha
I don't believe my host has magic quotes on, I use media temple's grid
server if anyones familiar with that. So if I use the
mysql_real_escape_string() on the data being inserted into the database
that's it? I thought it was more complicated than that...Will I need to
use stripslashes() before printing to the screen?
On Thu, 02 Aug 2007 01:13:48 +0200, zach
> Michael Fesser wrote:
>> .oO(zach)
>>
>>> I know how to take data from a form and insert it into MySql. For a
>>> comment form on something like a blog or news article, is using
>>> addslashes() all that is needed to prevent unwanted malicious user
>>> data?
>> No. addslashes() is hardly ever necessary. Of course its counterpart
>> stripslahes() is required to get the "raw" data if magic quotes are
>> enabled on the server.
>>
>>> There's got to be something more right? Can anyone tell me what I
>>> need to do or point me to some tutorial and/or articles?
>> Use mysql_real_escape_string() or - even better - prepared statements,
>> as provided by the PDO extension. And google for "SQL injection".
>> Micha
>
> I don't believe my host has magic quotes on, I use media temple's grid
> server if anyones familiar with that. So if I use the
> mysql_real_escape_string() on the data being inserted into the database
> that's it?
To some extent. Some exotic charecters will give you problems.
> I thought it was more complicated than that...
It is, but not very likely to hit you, it's a combination of a rare
database setup combined with a particular encoding/unicode-charaters that
might get through this. At least, that;s what I; ve heard. I never changed
my database to the settings some claim it;s vulnerable.
> Will I need to use stripslashes() before printing to the screen?
Heel o, unless the slashes are magiacally added, no adding of deleting of
slashes is required. If you print on a HTML page though, at least
htmlspecialchars() is required, and possibly htmlentities or more
depending on the characters sent.
--
Rik Wasmus
Excuse the typos and bad grammar. Time for bed now....
--
Rik Wasmus
Rik wrote:
> Excuse the typos and bad grammar. Time for bed now....
>
>
> --Rik Wasmus
Thank you very much guys, I'll mess with it this weekend after my tests
at school:)
zach