Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    SMC
    SMC is offline
    New Coder
    Join Date
    Jun 2007
    Location
    Orlando, FL
    Posts
    60
    Thanks
    5
    Thanked 2 Times in 2 Posts

    Two functions to live by

    This is extremely simple, but is intended more to help people learn than for actual literal piecing together.
    PHP Code:
    <?php

    function dataEncode$input ){

        
    $input addslasheshtmlentities$input ) );
        return 
    $input;
        
    }

    function 
    dataDecode$input ){

        
    $input stripslasheshtml_entity_decode$input ) );
        return 
    $input;
        
    }

    ?>
    You should do this WHENEVER you are dealing with data you are passing to another script, writing into something, or storing. This will catch many versions of SQL injection, directory transversal, and lots of other nasty hacking tricks.

    You implent as such:

    PHP Code:
    //My login script

    <?php

    $myUsername 
    dataEncode$_POST['username'] );

    $sql mysql_query"SELECT * FROM users WHERE username = '$myUsername' AND password = '$myPassword'" )
            or die( 
    mysql_error() );
            
    echo( 
    "Congratulations, " dataDecode$myUsername ) . "! You have logged in!" );

    ?>

  • #2
    Regular Coder
    Join Date
    Sep 2007
    Location
    AZ, USA
    Posts
    685
    Thanks
    6
    Thanked 46 Times in 46 Posts
    Useful, but why would you put that in a function? Just use it like so:
    PHP Code:
    <?php
    addslashes
    htmlentities$input ) );
    stripslasheshtml_entity_decode$input ) );
    ?>

  • #3
    bdl
    bdl is offline
    Regular Coder
    Join Date
    Apr 2007
    Location
    Camarillo, CA US
    Posts
    590
    Thanks
    4
    Thanked 83 Times in 82 Posts
    I respectfully disagree; your code should not have stored slashes in the first place, and you should always use the MySQL specific mysql_real_escape_string() instead of addslashes() when dealing with that RDBMS.

    The use of htmlentities() is fine for a generic solution, but why store all the extra characters? The database doesn't care if the user is attempting an XSS or CSRF attack. This is about properly partitioning your code so that when you do output HTML using that stored data, you use htmlentities() at that point. Stored data is agnostic as to the final outcome. Furthermore, shouldn't your script properly filter input and eliminate anything other than a username or a password value, for example?

    Having a function argument named '$input' is fine, but don't you think it would be more clear if your return value was named '$output'?

    Your function naming convention is also confusing. You're not actually 'encoding' or 'decoding' anything.

    Just some constructive criticism, hope you find it useful.

  • #4
    New Coder
    Join Date
    Apr 2007
    Posts
    48
    Thanks
    4
    Thanked 1 Time in 1 Post
    The use of htmlentities() is fine for a generic solution, but why store all the extra characters?
    The database doesn't care if the user is attempting an XSS or CSRF attack.
    This is about properly partitioning your code so that when you do output HTML using that stored data, you use htmlentities() at that point.
    I've read this on several forums, and I just don't get it?!?!!! What's the advantage of htmlentities()'ing the MySQL data when placing it in a textarea (for subsequent editing) or when outputting it as HTML.

    Thanks

  • #5
    Regular Coder
    Join Date
    May 2006
    Location
    Wales
    Posts
    820
    Thanks
    1
    Thanked 82 Times in 79 Posts
    Quote Originally Posted by broncozr View Post
    I've read this on several forums, and I just don't get it?!?!!! What's the advantage of htmlentities()'ing the MySQL data when placing it in a textarea (for subsequent editing) or when outputting it as HTML.

    Thanks
    htmlentities() changes all HTML special characters (such as &, <, > etc.) into their encoded counterparts (&amp;, &lt;, &gt; ) so that user inputted data doesn't affect the layout of your page.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •