Cleaning input

[asmith3006]

If I were to write a function to get user input such as

function get_input($name)
{
  if(isset($_POST[$name]))
      return mysql_real_escape($_POST[$name]);
  else
      return false;
}

And then collect all user input from this function (never directly) then I don't need to 'clean' any of my MySQL queries after that?

 

I suppose what I'm asking is is there any other way of injection attacks (etc) happening?

 

Thanks

 

Andrew.

[rhodesa]

this is a common misconception. the function you have here will clean the data for MySQL...that is it. this doesn't provide any safety from XSS attacks (where people inject HTML code). also, don't get into the habit of just running all input through mysql_real_escape_string() as soon as it's posted. you will end up with \'s in places you might not want:

$val = get_input('name'); //Let's assume the 'name' posted is John O'Hara
print '<input type="text" value="'.$val.'" />';

The above will insert a \ in front of the ' when it shouldn't be there

 

My recommendation is to just use the proper functions on an as needed basis. The two I use most are:

-mysql_real_escape_string() when building queries

-htmlspecialchars() escape text for displaying in HTML

 

...or look into MySQLi which will escape the data for you

[asmith3006]

So if I use mysqli I don't need to 'clean' the data at all?

 

If I'm writing a new system, should I use mysqli?

[rhodesa]

MySQLi uses a substitution method, where you put a question mark where the values go, and pass the values as argument. it will escape them and insert them into the sql statement for you. but, there is a catch to MySQLi:

 

The mysqli extension is designed to work with MySQL version 4.1.13 or newer, or 5.0.7 or newer

[asmith3006]

Ok, so I'm writing a new system and have control over the server so I guess MySQLi is the way to go.

 

My next question is, is it worth me writing a database abstraction layer? Is MySQLi easier to just use directly?

[rhodesa]

if you want a database abstraction layer, look into ADODB and ADODBlite:

http://adodb.sourceforge.net/

http://adodblite.sourceforge.net/

[asmith3006]

Hi,

 

Sorry to keep asking questions, but I'm new to this.

 

Do I need to use an abstraction layer? Are they more designed for projects that could be run on ANY system rather than a specific setup?

[rhodesa]

yeah, they are used mainly when packaging something where you don't know what DB will be used when it reaches it's final destination. another reason to use it is if you use lots of different databases. this way you only have to become familiar with one set of functions.

 

the downside to an abstraction layer is that it's more overhead (what could be done in 5 lines of code require several file includes and probably dozens of lines of code). you might also have to give up some features that are specific to one db type, since it needs to work on all db types

[asmith3006]

Ok, so looking through mysqli it looks much nicer (liking the OO style). Yet another question though, do I need to run ALL queries through Bind or do I just do that with queries with user input in them?

[rhodesa]

for just quick statements, you can use

http://us.php.net/manual/en/mysqli.query.php

 

for statements you want sanitized, you should use prepare/bind/execute method:

http://us.php.net/manual/en/mysqli-stmt.execute.php

if you look at example 1 in the link above, you will see the advantage of binds. you can bind them to variables, execute, then change the variables and execute again without preparing/binding again

[asmith3006]

Oooh I like the look of that. Thanks. End of question.. for now.

[Daniel0]

Do note that it doesn't happen automatically. It's only when you are using prepared statements it'll do it.