Safe Guard when updating

Well, I have this profile type setup, where people edit their profile, it goes to the database, then it returns to their profile where they can view the new data.

Real simple, right.

Well, I've been thinking, and I just kinda tested it... but why do I have a feeling this could go wrong :S. Like, what if they try to <? include(""); ?> something, would it work? I mean, the fields that they can edit are marked as text so it doesn't read it as anything else but text, right?


However, when I tried to put a random include in one of the fields, it simply doesn't display the include, you can't even see it. So that must mean it's in the code, since it's not displayed.


If this be the case, how can I set it so that anything they insert automatically displays as text, and doesn't work on the side, or anything like that.




The problem with that, is that I want to allow links, and allow certain pictures.

You should be using mysql_real_escape_string as well as htmlentities().

Alright, thanks, I'll look into em!

Ok, so I've been reading through MySQL injection stuff and such, but I really don't understand it all that well...

Few questions:

1. Why are slashes so bad? Why do we sometimes want to remove them, and other times add them?
2. Why should we quote everything that goes into the database, but remove the quotes when bringing it out?
3. Why would entering a random space or slash into the password field in a user login allow them to sign in, or edit things?


I read it, and I see how to do it, but without knowing why, or understanding it properly, I don't think I'll be effective at it XD! So if anyone cares to go into more details..

I did read a lot of php.net's, but they don't really tell you why, just what it'll do.

basicaly you are tricking the database with information that is valid but, gives them ability to do things that they shouldn't.

For example:

normal input:
SELECT * FROM users WHERE username = 'p4plus2'

BAD input:
SELECT * FROM users WHERE username = '' OR 1''


WHERE statement with an OR clause of 1 is always true so it will let you in as that user.


Another example:
bad input:
SELECT * FROM users WHERE username = ' '; DELETE FROM users WHERE 1 or username = ' '

which will delete all of your users table.


Get it now?

so if you have a form...

you put

for instance to assign new variables...

$user = mysql_real_escape_string($_POST['user']);

And that'll fix it?

But what about slashes, I can understand the extra queries used in form fields altering it, but I don't understand what slashes can do, or how they can be used in injection.

like every script i see uses stripcslashes() on like, everything... if that's the case... why would you add slashes?