On 25/01/2008, Jim Lucas <[EMAIL PROTECTED]> wrote:
> That should be considered part of the DRY method. But spanning page
> requests.
>
> I cannot see any reason why you shouldn't be doing this before you
> insert this information into your DB. Doing it once on your insert,
> instead of every sin
Richard Lynch wrote:
On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
It is NOT safe from, say, XSS attack if $evilString contains an XSS
snippet and you re-display it on your site.
In other words, you should still filter the INPUT s
On Thu, January 24, 2008 12:03 pm, Dotan Cohen wrote:
> On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
>> It is NOT safe from, say, XSS attack if $evilString contains an XSS
>> snippet and you re-display it on your site.
>>
>> In other words, you should still filter the INPUT somewhere; Bu
On 24/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
> That won't save you if you're echoing into a single quote attribute.
> (ie: src='')
Even after I've stripped away the tags with strip_tags()?
> Like htmlspecialchars(), the optional second quote_style parameter
> lets you define what will be
On Jan 24, 2008 1:03 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> > It is NOT safe from, say, XSS attack if $evilString contains an XSS
> > snippet and you re-display it on your site.
> >
> > In other words, you should still filter the INPUT
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> It is NOT safe from, say, XSS attack if $evilString contains an XSS
> snippet and you re-display it on your site.
>
> In other words, you should still filter the INPUT somewhere; But you
> are escaping the output to MySQL so that it is not g
On Thu, January 24, 2008 10:01 am, Dotan Cohen wrote:
> On 24/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
>> > Which basically is the same as a simple mysql_real_escape_string?
>> In
>> > other words, mysql_real_escape_string itself is safe from SQL
>> > injection?
>>
>> not exactly - it assume
On Wed, January 23, 2008 11:28 pm, Dotan Cohen wrote:
> In
> other words, mysql_real_escape_string itself is safe from SQL
> injection?
Yes.
That is the entire purpose of the existence of that function in the
first place.
--
Some people have a "gift" link here.
Know what I want?
I want you to b
On 24/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> > Which basically is the same as a simple mysql_real_escape_string? In
> > other words, mysql_real_escape_string itself is safe from SQL
> > injection?
>
> not exactly - it assumes you will use the value as a quoted string in a query.
>
> $s =
Dotan Cohen schreef:
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
Is the "--" here not treated as the beginning of an SQL comment?
No, because it is inside the apostrophes.
The purpose of mysql_real_escape_string (or using prepar
On 24/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
> > Is the "--" here not treated as the beginning of an SQL comment?
>
> No, because it is inside the apostrophes.
>
> The purpose of mysql_real_escape_string (or using prepared statements
On Wed, January 23, 2008 3:30 pm, Chris wrote:
>
>> Right now I still use mysql_escape_string and it seems to work fine,
>> but it makes me nervous as everything else I use is mysqli and I
>> know
>> it is not 100% compatible (just haven't had anything break it yet) -
>> but I hate having to have
On Wed, January 23, 2008 3:18 pm, Dotan Cohen wrote:
> I think it was here on this list that we saw an example of SQL
> injection despite the use of mysql_escape_string. Some funky Asian
> charset was used, no?
I don't know that I'd call it funky, but yes.
Without the "real" MySQL does not know w
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
> Is the "--" here not treated as the beginning of an SQL comment?
No, because it is inside the apostrophes.
The purpose of mysql_real_escape_string (or using prepared statements)
is to mark up (or separate) the DATA from the QUERY.
The data a
Chuck schreef:
On Jan 22, 2008 7:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may alread
On 1/23/08, Chris <[EMAIL PROTECTED]> wrote:
> If you need to escape something you're going to do a query aren't you?
> Or am I missing something here?
true. but i typically have everything in wrapper functions, and i
don't keep the actual resource variable exposed to use it (since it
needs a res
On 24/01/2008, Chuck <[EMAIL PROTECTED]> wrote:
>
> Why not write a function that does the same thing?
> mysql_real_escape_strings is a very simple function. And if your data
> is properly normalized and you don't support other charsets its very
> simple.
>
Maintenance and security seem to be two
On Jan 22, 2008 7:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> I have a file of my own functions that I include in many places. One
> of them uses mysql_real_escape_string, however, it may be called in a
> context that will or will not connect to a mysql server, and worse,
> may already be conne
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> Dotan Cohen schreef:
> > I'm not accepting "--" at all until someone can show me a real world
> > case where one would use it, without the intention of SQL injection.
> > How can it be escaped, anyway?
>
> I might just want to put '--' in a te
On 23/01/2008, Chris <[EMAIL PROTECTED]> wrote:
> > I'm not accepting "--" at all until someone can show me a real world
> > case where one would use it, without the intention of SQL injection.
> > How can it be escaped, anyway?
>
> Depends on your app.
>
> -- is an accepted things in emails as a m
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of
Dotan Cohen wrote:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
I can read, I saw 2 functions the first time. each function cleans *and*
escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
I see your point.
if the input needs to be stripped of h
Right now I still use mysql_escape_string and it seems to work fine,
but it makes me nervous as everything else I use is mysqli and I know
it is not 100% compatible (just haven't had anything break it yet) -
but I hate having to have a connection handle open just to escape
things.
If you need
Dotan Cohen wrote:
On 23/01/2008, mike <[EMAIL PROTECTED]> wrote:
It would be Real Nifty (tm) if the MySQL API had a function that let
you specify the charset without a connection and did the escaping.
Presumably you don't NEED a connection if you already know what
charset thingie you are aimin
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> I can read, I saw 2 functions the first time. each function cleans *and*
> escapes.
>
> cleaning is filtering of input.
> escaping is preparing for output.
>
> 2 concepts.
I see your point.
> if the input needs to be stripped of html then i
On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
> There isn't a reason to go and report a bug as their stuff works fine.
I would have filed a wish, not a bug. They are both filed in the
bugzillas that I'm familiar with. In any case, I'm not filing as I've
no account there and I'll not be fil
On 23/01/2008, mike <[EMAIL PROTECTED]> wrote:
> > > It would be Real Nifty (tm) if the MySQL API had a function that let
> > > you specify the charset without a connection and did the escaping.
> > >
> > > Presumably you don't NEED a connection if you already know what
> > > charset thingie you ar
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote:
> > On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
> >> On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> > However, I do not think that the script should throw an
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
you don't understand what I mean.
input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated
On Jan 23, 2008 2:37 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> > Back to the original question...
> >
> > I suppose you could use mysql_escape_string (note the lack of "real")
> > in the short term...
>
> I'd rather not. There is no short
> > It would be Real Nifty (tm) if the MySQL API had a function that let
> > you specify the charset without a connection and did the escaping.
> >
> > Presumably you don't NEED a connection if you already know what
> > charset thingie you are aiming at...
I concur - it would be nice to have the c
On Wed, January 23, 2008 12:47 pm, Dotan Cohen wrote:
> On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
>> On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> However, I do not think that the script should throw an error until I
> actually call mysql_clean. Merely having it in a
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> Back to the original question...
>
> I suppose you could use mysql_escape_string (note the lack of "real")
> in the short term...
I'd rather not. There is no short term.
> It would be Real Nifty (tm) if the MySQL API had a function that le
On Wed, January 23, 2008 11:47 am, Dotan Cohen wrote:
> On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
>> for each output (output to mysql, output to browser, etc)
Back to the original question...
I suppose you could use mysql_escape_string (note the lack of "real")
in the short term...
I
On 23/01/2008, Eric Butera <[EMAIL PROTECTED]> wrote:
> On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> > I have a file of my own functions that I include in many places. One
> > of them uses mysql_real_escape_string, however, it may be called in a
> > context that will or will no
On Jan 22, 2008 8:01 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> I have a file of my own functions that I include in many places. One
> of them uses mysql_real_escape_string, however, it may be called in a
> context that will or will not connect to a mysql server, and worse,
> may already be conne
On Jan 23, 2008 10:03 AM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 23/01/2008, James Ausmus <[EMAIL PROTECTED]> wrote:
> > Try using the mysql_ping() command to check to see if your connection
> > is available:
> >
> > http://us2.php.net/manual/en/function.mysql-ping.php
> >
> > something like:
On 23/01/2008, James Ausmus <[EMAIL PROTECTED]> wrote:
> Try using the mysql_ping() command to check to see if your connection
> is available:
>
> http://us2.php.net/manual/en/function.mysql-ping.php
>
> something like:
>
>
> if ([EMAIL PROTECTED]()) //Note the @ is because, if mysql_ping cannot g
Try using the mysql_ping() command to check to see if your connection
is available:
http://us2.php.net/manual/en/function.mysql-ping.php
something like:
HTH-
James
On Jan 22, 2008 6:04 PM, Dotan Cohen <[EMAIL PROTECTED]> wrote:
> On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
> >
>
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> you don't understand what I mean.
>
> input filtering is a seperate task to output filtering.
> you filter and validate all input to the script regardless of
> how you are going to use it. THEN you escape the filtered, validated data
> for eac
Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
The file defines some of my own functions, like these:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_r
On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> > The file defines some of my own functions, like these:
> >
> > function clean_html ($dirty) {
> > $dirty=strip_tags($dirty);
> > $clean=htmlentities($dirty);
> > return $clean;
> > }
> >
> > function clean_mysql ($dirty) {
> >
Dotan Cohen schreef:
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will
On 23/01/2008, Richard Lynch <[EMAIL PROTECTED]> wrote:
>
>
> On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
> > I have a file of my own functions that I include in many places. One
> > of them uses mysql_real_escape_string, however, it may be called in a
> > context that will or will not con
On Tue, January 22, 2008 7:01 pm, Dotan Cohen wrote:
> I have a file of my own functions that I include in many places. One
> of them uses mysql_real_escape_string, however, it may be called in a
> context that will or will not connect to a mysql server, and worse,
> may already be connected. So
On 23/01/2008, Chris <[EMAIL PROTECTED]> wrote:
> Dotan Cohen wrote:
> > I have a file of my own functions that I include in many places. One
> > of them uses mysql_real_escape_string, however, it may be called in a
> > context that will or will not connect to a mysql server, and worse,
> > may alr
Dotan Cohen wrote:
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected. So I must avoid connecting. However, when I
r
I have a file of my own functions that I include in many places. One
of them uses mysql_real_escape_string, however, it may be called in a
context that will or will not connect to a mysql server, and worse,
may already be connected. So I must avoid connecting. However, when I
run the script without
48 matches
Mail list logo
