Jump to content


Photo

PHP batch security


  • Please log in to reply
4 replies to this topic

#1 Q695

Q695

    Advanced Member

  • Members
  • PipPipPip
  • 703 posts
  • LocationEarth

Posted 14 May 2013 - 10:10 PM

Am I missing anything for my variable security statement?

foreach( $_GET as $key => $value){
$_GET["$key"]=mysql_real_escape_string($value) ;
}
foreach( $_POST as $key => $value){
$_POST["$key"]=mysql_real_escape_string($value) ;
}

How would I reverse it on the output side?


if ($problem==mark_solved){

solution ($problem);}

 

if ($skill_level==learning && $my_knowledge==the_required_level_of_knowledge){

     echo "I will try to help, because you're still $skill_level , and my skill level is at $my_knowledge";

} else {

     echo "I can't help you, go away.";

}


#2 kicken

kicken

    Wiser? Not exactly.

  • Gurus
  • 2,678 posts
  • LocationBonita, FL

Posted 15 May 2013 - 12:27 AM

You shouldn't be running mysql_real_escape_string on a variable unless it is going into a query. Running it on everything like that causes as many problems (or more) as it solves. As you pointed out, you have to undo it when you want to output the variable to the screen, just as one example.

if you want to avoid typing out mysql_real_escape_string a bunch of times, wrap up your escaping into another function with a shorter name. Maybe do a sprintf() like function.

untested example:
function prep_query(/*...*/){
   $args = func_get_args();
   foreach ($args as $i=>$v){
     if ($i==0) continue; //skip sql text

     if (get_magic_quotes_gpc()) $v=stripslashes($v);     
     $args[$i] = mysql_real_escape_string($v);
   }

   return call_user_func_array('sprintf', $args);
}

echo prep_query("SELECT * FROM blah WHERE username='%s' AND IsSomething=%d", $_GET['username'], $_GET['something']);

Recycle your old CD's, don't trash them!
Did I help you out?  Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7

#3 Q695

Q695

    Advanced Member

  • Members
  • PipPipPip
  • 703 posts
  • LocationEarth

Posted 15 May 2013 - 12:42 AM

Almost every single variable is used by a database, and i'll tell it to do an exception if the error is being created.


if ($problem==mark_solved){

solution ($problem);}

 

if ($skill_level==learning && $my_knowledge==the_required_level_of_knowledge){

     echo "I will try to help, because you're still $skill_level , and my skill level is at $my_knowledge";

} else {

     echo "I can't help you, go away.";

}


#4 AbraCadaver

AbraCadaver

    Cracka Memba

  • Gurus
  • 1,888 posts
  • LocationThe Republic of Texas

Posted 15 May 2013 - 03:35 PM

I would use mysqli or PDO, much easier and you don't have all the looping and other craziness:

$stmt = mysqli_prepare($link, "SELECT `column` FROM `table` WHERE `field`=?");
mysqli_stmt_bind_param($stmt, "s", $_GET['something']);
mysqli_stmt_execute($stmt);

Or something as simple as:

$_GET = array_map('mysql_real_escape_string', $_GET);

mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.

#5 Q695

Q695

    Advanced Member

  • Members
  • PipPipPip
  • 703 posts
  • LocationEarth

Posted 18 May 2013 - 12:19 PM

It's much easier for what I'm doing to batch it in, because I'm actually using several dozen MySQL queries in the project.  i.e. set it, and forget it, unless the host does it.


if ($problem==mark_solved){

solution ($problem);}

 

if ($skill_level==learning && $my_knowledge==the_required_level_of_knowledge){

     echo "I will try to help, because you're still $skill_level , and my skill level is at $my_knowledge";

} else {

     echo "I can't help you, go away.";

}





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com