--Apple-Mail-1--996550489
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
format=flowed
Hello,
When I add an item to my database and I use addslashes(),
do I have to use addslashes() to a query that looks for that item?
Or would I be adding double slashes and canceling my own result?
TIA
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--Apple-Mail-1--996550489--
You should be using
http://us2.php.net/manual/en/function.mysql-escape-string.ph p
You don't need to search with extra slashes for retrieval.
> -----Original Message-----
> From: Karl DeSaulniers [mailto:karl@designdrumm.com]
> Sent: Thursday, August 19, 2010 2:29 PM
> To: php-db@lists.php.net
> Subject: [PHP-DB] Slashes or no slashes
>
> Hello,
> When I add an item to my database and I use addslashes(),
> do I have to use addslashes() to a query that looks for that item?
> Or would I be adding double slashes and canceling my own result?
> TIA
>
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
> You should be using
> http://us2.php.net/manual/en/function.mysql-escape-string.ph p
>
> You don't need to search with extra slashes for retrieval.
>
>> -----Original Message-----
>> From: Karl DeSaulniers [mailto:karl@designdrumm.com]
>> Sent: Thursday, August 19, 2010 2:29 PM
>> To: php-db@lists.php.net
>> Subject: [PHP-DB] Slashes or no slashes
>>
>> Hello,
>> When I add an item to my database and I use addslashes(),
>> do I have to use addslashes() to a query that looks for that item?
>> Or would I be adding double slashes and canceling my own result?
>> TIA
>>
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>>
>>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Thanks for the response Daevid.
So, I don't need to use addslashes() at all?
Instead use mysql-escape-string() on INSERT statements, UPDATE
statements, SELECT statements, etc?
Best,
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
> You should be using
> http://us2.php.net/manual/en/function.mysql-escape-string.ph p
>
> You don't need to search with extra slashes for retrieval.
>
>> -----Original Message-----
>> From: Karl DeSaulniers [mailto:karl@designdrumm.com]
>> Sent: Thursday, August 19, 2010 2:29 PM
>> To: php-db@lists.php.net
>> Subject: [PHP-DB] Slashes or no slashes
>>
>> Hello,
>> When I add an item to my database and I use addslashes(),
>> do I have to use addslashes() to a query that looks for that item?
>> Or would I be adding double slashes and canceling my own result?
>> TIA
>>
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>>
>>
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Ah, but lets say I am using a character set utf-8, I should use
mysql_real_escape_string() instead?
Best,
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>
>> You should be using
>> http://us2.php.net/manual/en/function.mysql-escape-string.ph p
>>
>> You don't need to search with extra slashes for retrieval.
>>
>>> -----Original Message-----
>>> From: Karl DeSaulniers [mailto:karl@designdrumm.com]
>>> Sent: Thursday, August 19, 2010 2:29 PM
>>> To: php-db@lists.php.net
>>> Subject: [PHP-DB] Slashes or no slashes
>>>
>>> Hello,
>>> When I add an item to my database and I use addslashes(),
>>> do I have to use addslashes() to a query that looks for that item?
>>> Or would I be adding double slashes and canceling my own result?
>>> TIA
>>>
>>> Karl DeSaulniers
>>> Design Drumm
>>> http://designdrumm.com
>>>
>>>
>>
>>
>> -- PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> Ah, but lets say I am using a character set utf-8, I should use
> mysql_real_escape_string() instead?
> Best,
>
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
For a line like this..
return htmlspecialchars(stripslashes($this->values[$field]));
would I change this to?
return mysql_real_escape_string($this->values[$field]);
Or do I still need the htmlspecialchars? In that case would I change
it to?
return htmlspecialchars(mysql_real_escape_string($this->values
[$field]));
TIA
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
I think you should use prepared statements.
Kapu
--------------------------------------------------
From: "Karl DeSaulniers"
Sent: Friday, August 20, 2010 12:05 AM
To:
Subject: Re: [PHP-DB] Slashes or no slashes
>
> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
>
>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>>
>>> You should be using
>>> http://us2.php.net/manual/en/function.mysql-escape-string.ph p
>>>
>>> You don't need to search with extra slashes for retrieval.
>>>
>>>> -----Original Message-----
>>>> From: Karl DeSaulniers [mailto:karl@designdrumm.com]
>>>> Sent: Thursday, August 19, 2010 2:29 PM
>>>> To: php-db@lists.php.net
>>>> Subject: [PHP-DB] Slashes or no slashes
>>>>
>>>> Hello,
>>>> When I add an item to my database and I use addslashes(),
>>>> do I have to use addslashes() to a query that looks for that item?
>>>> Or would I be adding double slashes and canceling my own result?
>>>> TIA
>>>>
>>>> Karl DeSaulniers
>>>> Design Drumm
>>>> http://designdrumm.com
>>>>
>>>>
>>>
>>>
>>> -- PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>
>>
>> Ah, but lets say I am using a character set utf-8, I should use
>> mysql_real_escape_string() instead?
>> Best,
>>
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> For a line like this..
>
> return htmlspecialchars(stripslashes($this->values[$field]));
>
> would I change this to?
>
> return mysql_real_escape_string($this->values[$field]);
>
> Or do I still need the htmlspecialchars? In that case would I change
> it to?
>
> return htmlspecialchars(mysql_real_escape_string($this->values
> [$field]));
>
> TIA
>
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Ahhh.. Kapu where were you three months ago?? :)
Prepared statements sounds like the way to go,
but at this point that would mean converting a lot of pages.
I will have to investigate some more about this and convert the code
over at a later date.
For now I think mysql_real_escape_string will work for what I am doing.
Thank you all for your responses. Again.
Best,
Karl
On Aug 19, 2010, at 5:40 PM,
> I think you should use prepared statements.
>
> Kapu
>
> --------------------------------------------------
> From: "Karl DeSaulniers"
> Sent: Friday, August 20, 2010 12:05 AM
> To:
> Subject: Re: [PHP-DB] Slashes or no slashes
>
>> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
>>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>>>
>>>> You should be using
>>>> http://us2.php.net/manual/en/function.mysql-escape-string.ph p
>>>>
>>>> You don't need to search with extra slashes for retrieval.
>>>>
>>>>> -----Original Message-----
>>>>> From: Karl DeSaulniers [mailto:karl@designdrumm.com]
>>>>> Sent: Thursday, August 19, 2010 2:29 PM
>>>>> To: php-db@lists.php.net
>>>>> Subject: [PHP-DB] Slashes or no slashes
>>>>>
>>>>> Hello,
>>>>> When I add an item to my database and I use addslashes(),
>>>>> do I have to use addslashes() to a query that looks for that item?
>>>>> Or would I be adding double slashes and canceling my own result?
>>>>> TIA
>>>>>
>>>>> Karl DeSaulniers
>>>>> Design Drumm
>>>>> http://designdrumm.com
>>>>>
>>>>>
>>>>
>>>>
>>>> -- PHP Database Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>
>>>
>>> Ah, but lets say I am using a character set utf-8, I should use
>>> mysql_real_escape_string() instead?
>>> Best,
>>>
>>> Karl DeSaulniers
>>> Design Drumm
>>> http://designdrumm.com
>>>
>>>
>>> --
>>> PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>> For a line like this..
>> return htmlspecialchars(stripslashes($this->values[$field]));
>> would I change this to?
>> return mysql_real_escape_string($this->values[$field]);
>> Or do I still need the htmlspecialchars? In that case would I
>> change it to?
>> return htmlspecialchars(mysql_real_escape_string($this->values
>> [$field]));
>> TIA
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On 20/08/10 08:05, Karl DeSaulniers wrote:
>
> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
>
>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>>
>>> You should be using
>>> http://us2.php.net/manual/en/function.mysql-escape-string.ph p
>>>
>>> You don't need to search with extra slashes for retrieval.
>>>
>>>> -----Original Message-----
>>>> From: Karl DeSaulniers [mailto:karl@designdrumm.com]
>>>> Sent: Thursday, August 19, 2010 2:29 PM
>>>> To: php-db@lists.php.net
>>>> Subject: [PHP-DB] Slashes or no slashes
>>>>
>>>> Hello,
>>>> When I add an item to my database and I use addslashes(),
>>>> do I have to use addslashes() to a query that looks for that item?
>>>> Or would I be adding double slashes and canceling my own result?
>>>> TIA
>>>>
>>>> Karl DeSaulniers
>>>> Design Drumm
>>>> http://designdrumm.com
>>>>
>>>>
>>>
>>>
>>> -- PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>
>>
>> Ah, but lets say I am using a character set utf-8, I should use
>> mysql_real_escape_string() instead?
>> Best,
>>
>> Karl DeSaulniers
>> Design Drumm
>> http://designdrumm.com
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> For a line like this..
>
> return htmlspecialchars(stripslashes($this->values[$field]));
>
> would I change this to?
>
> return mysql_real_escape_string($this->values[$field]);
>
> Or do I still need the htmlspecialchars? In that case would I change it to?
>
> return htmlspecialchars(mysql_real_escape_string($this->values[$fie ld]));
You use mysql_real_escape_string for queries on the way in.
$query = "select * from table where
name='".mysql_real_escape_string($_POST['name'])."'";
You use htmlspecialchars on the way out:
$value = htmlspecialchars($row['name']);
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Aug 22, 2010, at 7:12 PM, Chris wrote:
> On 20/08/10 08:05, Karl DeSaulniers wrote:
>>
>> On Aug 19, 2010, at 4:44 PM, Karl DeSaulniers wrote:
>>
>>> On Aug 19, 2010, at 4:36 PM, Daevid Vincent wrote:
>>>
>>>> You should be using
>>>> http://us2.php.net/manual/en/function.mysql-escape-string.ph p
>>>>
>>>> You don't need to search with extra slashes for retrieval.
>>>>
>>>>> -----Original Message-----
>>>>> From: Karl DeSaulniers [mailto:karl@designdrumm.com]
>>>>> Sent: Thursday, August 19, 2010 2:29 PM
>>>>> To: php-db@lists.php.net
>>>>> Subject: [PHP-DB] Slashes or no slashes
>>>>>
>>>>> Hello,
>>>>> When I add an item to my database and I use addslashes(),
>>>>> do I have to use addslashes() to a query that looks for that item?
>>>>> Or would I be adding double slashes and canceling my own result?
>>>>> TIA
>>>>>
>>>>> Karl DeSaulniers
>>>>> Design Drumm
>>>>> http://designdrumm.com
>>>>>
>>>>>
>>>>
>>>>
>>>> -- PHP Database Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>
>>>
>>> Ah, but lets say I am using a character set utf-8, I should use
>>> mysql_real_escape_string() instead?
>>> Best,
>>>
>>> Karl DeSaulniers
>>> Design Drumm
>>> http://designdrumm.com
>>>
>>>
>>> --
>>> PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>
>>
>> For a line like this..
>>
>> return htmlspecialchars(stripslashes($this->values[$field]));
>>
>> would I change this to?
>>
>> return mysql_real_escape_string($this->values[$field]);
>>
>> Or do I still need the htmlspecialchars? In that case would I
>> change it to?
>>
>> return htmlspecialchars(mysql_real_escape_string($this->values
>> [$field]));
>
> You use mysql_real_escape_string for queries on the way in.
>
> $query = "select * from table where name='".mysql_real_escape_string
> ($_POST['name'])."'";
>
> You use htmlspecialchars on the way out:
>
> $value = htmlspecialchars($row['name']);
>
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Ah.. thanks Chris.
If I want to compare that value I get from the database to what a
user entered,
do I escape the value they entered or add htmlspecialchars to it
before comparing it to what comes out of the database.
Sorry this is such a PHP 101 question. If you have time to respond,
please do, otherwise no worries, I am sure I will figure it out.
Best,
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
>> You use mysql_real_escape_string for queries on the way in.
>>
>> $query = "select * from table where
>> name='".mysql_real_escape_string($_POST['name'])."'";
>>
>> You use htmlspecialchars on the way out:
>>
>> $value = htmlspecialchars($row['name']);
>>
>>
>> --
>> Postgresql & php tutorials
>> http://www.designmagick.com/
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> Ah.. thanks Chris.
> If I want to compare that value I get from the database to what a user
> entered,
> do I escape the value they entered or add htmlspecialchars to it before
> comparing it to what comes out of the database.
> Sorry this is such a PHP 101 question. If you have time to respond,
> please do, otherwise no worries, I am sure I will figure it out.
If you want to compare, you're doing a query - so use
mysql_real_escape_string:
$query = "select blah from table where name='" .
mysql_real_escape_string($_POST['name']) . "'";
When you print results, you use htmlspecialchars:
echo "Your search for " . htmlspecialchars($_POST['name']) . " returned
X results
";
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Aug 23, 2010, at 8:35 PM, Chris wrote:
>
>>> You use mysql_real_escape_string for queries on the way in.
>>>
>>> $query = "select * from table where
>>> name='".mysql_real_escape_string($_POST['name'])."'";
>>>
>>> You use htmlspecialchars on the way out:
>>>
>>> $value = htmlspecialchars($row['name']);
>>>
>>>
>>> --
>>> Postgresql & php tutorials
>>> http://www.designmagick.com/
>>>
>>>
>>> --
>>> PHP Database Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>
>>
>> Ah.. thanks Chris.
>> If I want to compare that value I get from the database to what a
>> user
>> entered,
>> do I escape the value they entered or add htmlspecialchars to it
>> before
>> comparing it to what comes out of the database.
>> Sorry this is such a PHP 101 question. If you have time to respond,
>> please do, otherwise no worries, I am sure I will figure it out.
>
> If you want to compare, you're doing a query - so use
> mysql_real_escape_string:
>
> $query = "select blah from table where name='" .
> mysql_real_escape_string($_POST['name']) . "'";
>
>
> When you print results, you use htmlspecialchars:
>
> echo "Your search for " . htmlspecialchars($_POST['name']) . "
> returned X results
";
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Thanks Again Chris,
To be more specific. Is this correct?
function confirmUP($username, $password){
$username = mysql_real_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM TBL-U WHERE username = '$username'";
$result = $this->query($q);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray['password']);
$password = mysql_real_escape_string(md5($password));
$password = htmlspecialchars($password);
/* Validate that password is correct */
if($password == $dbarray['password']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}
}
The password was added to the database with md5() applied after
escaping.
Thank you for responding so quickly.
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
> To be more specific. Is this correct?
>
> function confirmUP($username, $password){
> $username = mysql_real_escape_string($username);
>
> /* Verify that user is in database */
> $q = "SELECT password FROM TBL-U WHERE username = '$username'";
I normally do it in the query in case you use the variable somewhere
else but here it's ok because you don't use $username elsewhere. Be
careful though, it may bite you and it will be difficult to track down.
eg
$q = "select password from table where username='" .
mysql_real_escape_string($username) . "'";
echo "You entered " . htmlspecialchars($username) . ", either it was
wrong or the password was wrong. Try again.";
Doing the escape_string before the query means you end up with (basically)
htmlspecialchars(mysql_real_escape_string($username));
which will cause weird characters to show up in certain cases.
> $result = $this->query($q);
> if(!$result || (mysql_numrows($result) < 1)){
> return 1; //Indicates username failure
> }
>
> /* Retrieve password from result */
> $dbarray = mysql_fetch_array($result);
> $dbarray['password'] = htmlspecialchars($dbarray['password']);
> $password = mysql_real_escape_string(md5($password));
> $password = htmlspecialchars($password);
You're not displaying the password so don't htmlspecialchars it.
Just:
if ($dbarray['password'] == md5($password)) {
return 0; // success!
}
Only specialchars it when you display it (like the echo above).
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Aug 23, 2010, at 9:31 PM, Chris wrote:
>
>> To be more specific. Is this correct?
>>
>> function confirmUP($username, $password){
>> $username = mysql_real_escape_string($username);
>>
>> /* Verify that user is in database */
>> $q = "SELECT password FROM TBL-U WHERE username = '$username'";
>
> I normally do it in the query in case you use the variable
> somewhere else but here it's ok because you don't use $username
> elsewhere. Be careful though, it may bite you and it will be
> difficult to track down.
>
> eg
>
> $q = "select password from table where username='" .
> mysql_real_escape_string($username) . "'";
>
> echo "You entered " . htmlspecialchars($username) . ", either it
> was wrong or the password was wrong. Try again.";
>
> Doing the escape_string before the query means you end up with
> (basically)
>
> htmlspecialchars(mysql_real_escape_string($username));
>
> which will cause weird characters to show up in certain cases.
>
>> $result = $this->query($q);
>> if(!$result || (mysql_numrows($result) < 1)){
>> return 1; //Indicates username failure
>> }
>>
>> /* Retrieve password from result */
>> $dbarray = mysql_fetch_array($result);
>> $dbarray['password'] = htmlspecialchars($dbarray['password']);
>> $password = mysql_real_escape_string(md5($password));
>> $password = htmlspecialchars($password);
>
> You're not displaying the password so don't htmlspecialchars it.
>
> Just:
>
> if ($dbarray['password'] == md5($password)) {
> return 0; // success!
> }
>
> Only specialchars it when you display it (like the echo above).
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Ahhh. I see.
But I do still put the escape on what they entered so it will match
what is in the database.
Ok. Thank you Thank you Thank you.
Best,
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--Apple-Mail-2--630174445
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
charset=US-ASCII;
delsp=yes;
format=flowed
On Aug 23, 2010, at 10:04 PM, Karl DeSaulniers wrote:
> On Aug 23, 2010, at 9:31 PM, Chris wrote:
>
>>
>>> To be more specific. Is this correct?
>>>
>>> function confirmUP($username, $password){
>>> $username = mysql_real_escape_string($username);
>>>
>>> /* Verify that user is in database */
>>> $q = "SELECT password FROM TBL-U WHERE username = '$username'";
>>
>> I normally do it in the query in case you use the variable
>> somewhere else but here it's ok because you don't use $username
>> elsewhere. Be careful though, it may bite you and it will be
>> difficult to track down.
>>
>> eg
>>
>> $q = "select password from table where username='" .
>> mysql_real_escape_string($username) . "'";
>>
>> echo "You entered " . htmlspecialchars($username) . ", either it
>> was wrong or the password was wrong. Try again.";
>>
>> Doing the escape_string before the query means you end up with
>> (basically)
>>
>> htmlspecialchars(mysql_real_escape_string($username));
>>
>> which will cause weird characters to show up in certain cases.
>>
>>> $result = $this->query($q);
>>> if(!$result || (mysql_numrows($result) < 1)){
>>> return 1; //Indicates username failure
>>> }
>>>
>>> /* Retrieve password from result */
>>> $dbarray = mysql_fetch_array($result);
>>> $dbarray['password'] = htmlspecialchars($dbarray['password']);
>>> $password = mysql_real_escape_string(md5($password));
>>> $password = htmlspecialchars($password);
>>
>> You're not displaying the password so don't htmlspecialchars it.
>>
>> Just:
>>
>> if ($dbarray['password'] == md5($password)) {
>> return 0; // success!
>> }
>>
>> Only specialchars it when you display it (like the echo above).
>>
>> --
>> Postgresql & php tutorials
>> http://www.designmagick.com/
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> Ahhh. I see.
> But I do still put the escape on what they entered so it will match
> what is in the database.
> Ok. Thank you Thank you Thank you.
>
> Best,
>
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Just to make sure, cause I am ready to get past this.
Is this correct?
function confirmUP($username, $password){
/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username =
'".mysql_real_escape_string($username)."'";
$result = $this->query($q);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}
/* Retrieve password from result */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = htmlspecialchars($dbarray
['password']); //Or is this where I need to leave htmlspecialchars
off too?
/* Validate that password is correct */
if(md5($password) == $dbarray['password']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}
}
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--Apple-Mail-2--630174445--
> Just to make sure, cause I am ready to get past this.
> Is this correct?
>
> function confirmUP($username, $password){
> /* Verify that user is in database */
> $q = "SELECT password FROM ".TBL_USERS." WHERE username =
> '".mysql_real_escape_string($username)."'";
Perfect.
> /* Retrieve password from result */
> $dbarray = mysql_fetch_array($result);
> $dbarray['password'] = htmlspecialchars($dbarray['password']); //Or is
> this where I need to leave htmlspecialchars off too?
Leave it off.
You're not displaying $dbarray['password'] here - so you don't need to
use htmlspecialchars.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Aug 23, 2010, at 10:35 PM, Chris wrote:
>
>> Just to make sure, cause I am ready to get past this.
>> Is this correct?
>>
>> function confirmUP($username, $password){
>> /* Verify that user is in database */
>> $q = "SELECT password FROM ".TBL_USERS." WHERE username =
>> '".mysql_real_escape_string($username)."'";
>
> Perfect.
>
>> /* Retrieve password from result */
>> $dbarray = mysql_fetch_array($result);
>> $dbarray['password'] = htmlspecialchars($dbarray['password']); //
>> Or is
>> this where I need to leave htmlspecialchars off too?
>
> Leave it off.
>
> You're not displaying $dbarray['password'] here - so you don't need
> to use htmlspecialchars.
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
Got it. So only when I am going to diplay the result from the
database. I see.
But for comparing $dbarray['password'] to $password, don't I have to
escape $password and then md5 it?
TIA
Karl DeSaulniers
Design Drumm
http://designdrumm.com
@david.lopez: Your emails are getting blocked by my isp, so I have
not seen any of your emails. Not ignoring you, promise.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
> Got it. So only when I am going to diplay the result from the database.
> I see.
Or email (or otherwise present it to the user), yes.
> But for comparing $dbarray['password'] to $password, don't I have to
> escape $password and then md5 it?
Right.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Aug 23, 2010, at 11:38 PM, Karl DeSaulniers wrote:
>
> On Aug 23, 2010, at 10:35 PM, Chris wrote:
>
>>
>>> Just to make sure, cause I am ready to get past this.
>>> Is this correct?
>>>
>>> function confirmUP($username, $password){
>>> /* Verify that user is in database */
>>> $q = "SELECT password FROM ".TBL_USERS." WHERE username =
>>> '".mysql_real_escape_string($username)."'";
>>
>> Perfect.
>>
>>> /* Retrieve password from result */
>>> $dbarray = mysql_fetch_array($result);
>>> $dbarray['password'] = htmlspecialchars($dbarray['password']); //
>>> Or is
>>> this where I need to leave htmlspecialchars off too?
>>
>> Leave it off.
>>
>> You're not displaying $dbarray['password'] here - so you don't
>> need to use htmlspecialchars.
>>
>> --
>> Postgresql & php tutorials
>> http://www.designmagick.com/
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> Got it. So only when I am going to diplay the result from the
> database. I see.
> But for comparing $dbarray['password'] to $password, don't I have
> to escape $password and then md5 it?
> TIA
>
>
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
>
> @david.lopez: Your emails are getting blocked by my isp, so I have
> not seen any of your emails. Not ignoring you, promise.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
In the case that your comparing a field to a field in the database
(the field name)
do you escape that or because it is hardcoded you dont need to?
My thoughts are that you need to escape all data going in.
But I do not know if it will match.
EG:
/**
* updateProduct */
function updateProduct($ProductName, $field, $value){
$q = "UPDATE ".TBL_PRODUCTS." SET ".$field." =
'".mysql_real_escape_string($value)."' WHERE ProductName =
'".mysql_real_escape_string($ProductName)."'";
return $this->query($q);
}
Do I escape $field? mysql_real_escape_string($field)?
$field is not a user entered value, but should I escape to block hacks?
If $field = "username", will mysql_real_escape_string($field) match?
My thoughts are yes because there are no special character in my
hardcode
and if there was an attempt to do an injection with this var, it
would catch it.
am I on the right path with my thoughts?
TIA
Karl DeSaulniers
Design Drumm
http://designdrumm.com
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
>
> In the case that your comparing a field to a field in the database (the
> field name)
> do you escape that or because it is hardcoded you dont need to?
> My thoughts are that you need to escape all data going in.
Correct. A field name is not data though. You've already validated it
(somehow, either by hardcoding it, or checking it against field names to
make sure it's a proper field and doesn't contain weird chars).
> But I do not know if it will match.
>
> EG:
>
> /**
> * updateProduct */
> function updateProduct($ProductName, $field, $value){
> $q = "UPDATE ".TBL_PRODUCTS." SET ".$field." =
> '".mysql_real_escape_string($value)."' WHERE ProductName =
> '".mysql_real_escape_string($ProductName)."'";
> return $this->query($q);
> }
>
> Do I escape $field? mysql_real_escape_string($field)?
You can only escape data, not field or table (or database) names.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php