Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Regular Coder Deacon Frost's Avatar
    Join Date
    Feb 2008
    Location
    Between the Lines
    Posts
    279
    Thanks
    31
    Thanked 4 Times in 4 Posts

    Safe Guard when updating

    Well, I have this profile type setup, where people edit their profile, it goes to the database, then it returns to their profile where they can view the new data.

    Real simple, right.

    Well, I've been thinking, and I just kinda tested it... but why do I have a feeling this could go wrong :S. Like, what if they try to <? include(""); ?> something, would it work? I mean, the fields that they can edit are marked as text so it doesn't read it as anything else but text, right?


    However, when I tried to put a random include in one of the fields, it simply doesn't display the include, you can't even see it. So that must mean it's in the code, since it's not displayed.


    If this be the case, how can I set it so that anything they insert automatically displays as text, and doesn't work on the side, or anything like that.




    The problem with that, is that I want to allow links, and allow certain pictures.

  • #2
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    You should be using mysql_real_escape_string as well as htmlentities().
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • Users who have thanked _Aerospace_Eng_ for this post:

    Deacon Frost (03-17-2008)

  • #3
    Regular Coder Deacon Frost's Avatar
    Join Date
    Feb 2008
    Location
    Between the Lines
    Posts
    279
    Thanks
    31
    Thanked 4 Times in 4 Posts
    Alright, thanks, I'll look into em!

  • #4
    Regular Coder Deacon Frost's Avatar
    Join Date
    Feb 2008
    Location
    Between the Lines
    Posts
    279
    Thanks
    31
    Thanked 4 Times in 4 Posts
    Ok, so I've been reading through MySQL injection stuff and such, but I really don't understand it all that well...

    Few questions:

    1. Why are slashes so bad? Why do we sometimes want to remove them, and other times add them?
    2. Why should we quote everything that goes into the database, but remove the quotes when bringing it out?
    3. Why would entering a random space or slash into the password field in a user login allow them to sign in, or edit things?


    I read it, and I see how to do it, but without knowing why, or understanding it properly, I don't think I'll be effective at it XD! So if anyone cares to go into more details..

    I did read a lot of php.net's, but they don't really tell you why, just what it'll do.

  • #5
    Regular Coder
    Join Date
    Mar 2008
    Posts
    103
    Thanks
    1
    Thanked 8 Times in 8 Posts
    basicaly you are tricking the database with information that is valid but, gives them ability to do things that they shouldn't.

    For example:

    normal input:
    SELECT * FROM users WHERE username = 'p4plus2'

    BAD input:
    SELECT * FROM users WHERE username = '' OR 1''


    WHERE statement with an OR clause of 1 is always true so it will let you in as that user.


    Another example:
    bad input:
    SELECT * FROM users WHERE username = ' '; DELETE FROM users WHERE 1 or username = ' '

    which will delete all of your users table.


    Get it now?

  • #6
    Regular Coder Deacon Frost's Avatar
    Join Date
    Feb 2008
    Location
    Between the Lines
    Posts
    279
    Thanks
    31
    Thanked 4 Times in 4 Posts
    so if you have a form...

    you put

    for instance to assign new variables...

    $user = mysql_real_escape_string($_POST['user']);

    And that'll fix it?

    But what about slashes, I can understand the extra queries used in form fields altering it, but I don't understand what slashes can do, or how they can be used in injection.

    like every script i see uses stripcslashes() on like, everything... if that's the case... why would you add slashes?


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •