Re: [PHP] basic user/input form questions... more validation!

2005-09-24 Thread Jasper Bryant-Greene
bruce wrote: i would agree, and didn't think it made sense.. but i don't know what you mean by the phrase 'escape all output'!! i don't see the need to escape all output from the mysql db/tbl... so i'm not sure you meant this. Output can be (among other things): * Your script => MySQL * Your s

RE: [PHP] basic user/input form questions... more validation!

2005-09-24 Thread bruce
as well as how to use the vars/data in other parts of the given application. -bruce -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Friday, September 23, 2005 9:22 PM To: [EMAIL PROTECTED] Cc: php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions..

Re: [PHP] basic user/input form questions... more validation!

2005-09-23 Thread Chris Shiflett
bruce wrote: my question was directed towards trying to understand if you were meaning that an app should escape all output from the mysql db? If you think about that for a moment, I think you'll see that it doesn't make a lot of sense. Data that you get from a remote source is input, not out

RE: [PHP] basic user/input form questions... more validation!

2005-09-23 Thread Chris W. Parker
bruce on Thursday, September 22, 2005 4:19 PM said: > the articles i've seen imply that if you addslashes, you also need to > stripslashes on the backend... That's probably because gpc_magic_quotes (I think that's what it's called) is turned on and doing addslashes

RE: [PHP] basic user/input form questions... more validation!

2005-09-23 Thread Carl Furst
From: bruce [mailto:[EMAIL PROTECTED] > Sent: Friday, September 23, 2005 1:46 PM > To: 'Carl Furst'; 'Chris W. Parker'; php-general@lists.php.net > Subject: RE: [PHP] basic user/input form questions... more validation! > > which is why it's critical/important to r

RE: [PHP] basic user/input form questions... more validation!

2005-09-23 Thread Chris W. Parker
bruce on Friday, September 23, 2005 10:46 AM said: > which is why it's critical/important to really lay out (architect) > your app and to think about how the app should be handling various > data types. this also goes to thiking about how you name variables in > your

RE: [PHP] basic user/input form questions... more validation!

2005-09-23 Thread bruce
ssage- From: Carl Furst [mailto:[EMAIL PROTECTED] Sent: Friday, September 23, 2005 9:48 AM To: 'Chris W. Parker'; php-general@lists.php.net Subject: RE: [PHP] basic user/input form questions... more validation! You should be careful about column types in mysql especially if you are do

RE: [PHP] basic user/input form questions... more validation!

2005-09-23 Thread Carl Furst
lthough why you would join text columns I have no idea). And this was only straight joins.. imagine what left right or other joins would look like. Carl Furst Vote.com P.O. Box 7 Georgetown, Ct 06829 203-544-8252 [EMAIL PROTECTED] > -Original Message- > From: Chris W. Pa

RE: [PHP] basic user/input form questions... more validation!

2005-09-23 Thread bruce
TED] Cc: 'Chris W. Parker'; php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions... more validation! bruce wrote: > but what do you mean by "...escape output!!" Output is data that you send somewhere else. In other words, if it leaves your applicati

Re: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Chris Shiflett
bruce wrote: but what do you mean by "...escape output!!" Output is data that you send somewhere else. In other words, if it leaves your application, it is output. This is explained a bit further (with some code) near the start of this talk: http://brainbulb.com/talks/php-security-audit-h

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread bruce
same wavelength?? -bruce -Original Message- From: Chris Shiflett [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 7:15 PM To: [EMAIL PROTECTED] Cc: 'Chris W. Parker'; php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions... more validation!

Re: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Chris Shiflett
bruce wrote: not sure i agree with this one.. if i put "foo \' cat" in a db tbl... i expect that i'll get the same out... which is what some of the articles i've seen have stated.. are you telling me, and are you sure, that i'd get "foo ' cat" out instead!! the articles i've seen imply that

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Murray @ PlanetThoughtful
> -Original Message- > From: bruce [mailto:[EMAIL PROTECTED] > Sent: Friday, 23 September 2005 10:23 AM > To: 'Jasper Bryant-Greene'; php-general@lists.php.net > Subject: RE: [PHP] basic user/input form questions... more validation! > > one

Re: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Jasper Bryant-Greene
bruce wrote: the mysql_real_escape function escapes with a'\' which works for mysql, but isn't standard ansi... is there another function that does the same thing, but uses the ansi standard "'". also, if there is another function, does it also work with mysql?? Well, you could just use str_rep

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread bruce
k with mysql?? thanks -bruce -Original Message- From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 4:39 PM To: php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions... more validation! bruce wrote: > not sure i agree with th

Re: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Jasper Bryant-Greene
bruce wrote: not sure i agree with this one.. if i put "foo \' cat" in a db tbl... i expect that i'll get the same out... which is what some of the articles i've seen have stated.. are you telling me, and are you sure, that i'd get "foo ' cat" out instead!! the articles i've seen imply that

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread bruce
instead!! the articles i've seen imply that if you addslashes, you also need to stripslashes on the backend... comments/thoughts/etc... -bruce -Original Message- From: Chris W. Parker [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 3:42 PM To: php-general@lists.p

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Chris W. Parker
bruce on Thursday, September 22, 2005 3:33 PM said: > further investigation seems to imply that 'strings' that are to be > inserted into the mysql db should be 'backslashed' for the chars > > \x00, \n, \r, \,'," and \x1a. That's what escaping is. > the mysql_real_e

Re: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Jasper Bryant-Greene
bruce wrote: further investigation seems to imply that 'strings' that are to be inserted into the mysql db should be 'backslashed' for the chars > \x00, \n, \r, \,'," and \x1a. this implies that i can have a simple function to accomplish this. the mysql_real_escape_string function requires a db c

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread bruce
that were added to the data/vars -process/use accordingly... have i left anything out..?? thoughts/comments/etc. -bruce -Original Message- From: bruce [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:52 AM To: 'Gustav Wiberg'; php-general@lists.php.net Subjec

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Chris W. Parker
bruce on Thursday, September 22, 2005 11:58 AM said: > hey chris... Hi. > so you're sayng that if data is outside of a-zA-Z0-9 "'" then it > should probably fail the regex anyway.. and it should error out.. (Where did that apostrophe come from? That wasn't in my l

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread bruce
, but you didn't say how.! also, what's the function of the 'addslashes', and when is it used?! -bruce -Original Message- From: Chris W. Parker [mailto:[EMAIL PROTECTED] Sent: Thursday, September 22, 2005 11:38 AM To: php-general@lists.php.net Subject: RE: [PHP] basic u

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread bruce
ent: Thursday, September 22, 2005 11:14 AM To: [EMAIL PROTECTED]; php-general@lists.php.net Subject: Re: [PHP] basic user/input form questions... more validation! - Original Message - From: "bruce" <[EMAIL PROTECTED]> To: Sent: Thursday, September 22, 2

RE: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Chris W. Parker
bruce on Thursday, September 22, 2005 11:05 AM said: > if the app allows the user to enter the input (call it 'foo') and then > submits the form via a POST, where the data is then written to the > db, what kind of validation should occur? Depends on what kind of a f

Re: [PHP] basic user/input form questions... more validation!

2005-09-22 Thread Gustav Wiberg
- Original Message - From: "bruce" <[EMAIL PROTECTED]> To: Sent: Thursday, September 22, 2005 8:05 PM Subject: [PHP] basic user/input form questions... more validation! hi... forgive me!!! Ok; -) Why? You're just asking... :-) continuing the thread from yesterday regarding filter