Jump to content

Mig21

New Members
  • Posts

    5
  • Joined

  • Last visited

Mig21's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. Yeah, I guess you're right, so I'll get rid of these messages after the release candidates and maybe one day I'll have the patience to write an error logger and reviewer. I'll still try to add a note to php.net for those who didn't think it through, that warning really should be there since it's not immediately obvious (like most XSS issues!). Thanks everyone!
  2. Well, sure there are reasons not to show the user errors coming from mysql queries, but how am I supposed to debug problems when they happen if the user can only tell me that "An error has occurred"? What do you guys do? Do you log all the errors separately and review them periodically? Or give the user a ticket number that's associated with an SQL error that the user can't see but is stored some place else with the ticket number as a key for you to review? Seems like a lot of work. And actually, even in those cases - you have to review the errors and you're likely to read them in a browser or a mail client, both of which would be vulnerable to XSS. So even if I don't show the user the message, should I not always do the HTML escape on it?
  3. Yeah, I thought so too, the problem is it seems that so far I'm the only one who's thought of it. See for example the PHP manual where every example prints the return of mysqli_error(): http://us2.php.net/manual/en/mysqli.error.php Or try to google mysqli_error escape or similar searches. You will find all over the pace the advice is entirely limited to escaping the SQL and sometimes escaping the HTML but never escaping the return of mysqli_error(). Which is why I'm so confused. Am I missing something? Should this be reported as a documentation error to php.net?
  4. But it does have user input, for example if I change WHERE to WHERE1 this is the mysqli_error(): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'TimePeriod.timetableId = Timetable.id AND Timetable.id = '120'' at line 3" 120 came from the user! Escaped for SQL but not for HTML.
  5. Hi I find it very strange that I can't find an answer to this question. In my code I have queries where I use mysqli_real_escape_string() to make sure there is no SQL injection happening. But then I just call mysqli_error() and dump its output into standard out, without escaping it using htmlspecialchars() or anything similar. Is it a stupid question to ask why that's not a security concern? Is it really that mysqli_real_escape_string() escapes HTML special characters as well? Thanks in advance
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.