angelali Posted May 21, 2012 Share Posted May 21, 2012 Well, I just want to know, if I add mysql_real_escape_string and strip_tags to a checkbox, does this mean it is 100% protected from SQL injection and XSS attack? For example: <input type=checkbox' name="checkbox"/> $checkbox = mysql_real_escape_string(stip_tags($_POST['checkbox'])); Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/ Share on other sites More sharing options...
Jessica Posted May 21, 2012 Share Posted May 21, 2012 Your checkbox has no value, so I think it would only return true, in which case you can just cast it as an int and be fine. Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347306 Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Elaborate.... I know it has no value...so does this mean even by applying these security measures, it can be attacked as it returns true? Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347309 Share on other sites More sharing options...
Jessica Posted May 21, 2012 Share Posted May 21, 2012 It means that since you are only expecting either nothing or 1, don't bother stripping tags, etc, just cast it as an int. Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347310 Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Well, to be in brief, I can leave it like this then: $checkbox = mysql_real_escape_string(strip_tags($_POST['checkbox'])); Sorry lol , I'm a bit sleepy today... Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347311 Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Oh no lol, it does hold a value, I mean the checkbox has a value, it has a value from database... Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347312 Share on other sites More sharing options...
PFMaBiSmAd Posted May 21, 2012 Share Posted May 21, 2012 Sql can be injected that contains NO tags or quotes, for which mysql_real_escape_string and strip_tags would have NO affect on, depending on how you are using the value in a query statement. Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347314 Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Jesirose knows this code as she was helping me yesterday.... By the way Jesirose, I successfully solved the problem yesterday.. Here are the codes what Im telling you below: The checkbox: echo '<td><input type="checkbox" name="delete[]" value="'.$row['img_ID'].'"/></td>'; A part of the codes: if (isset($_POST['delete'])) { foreach ($_POST['delete'] as $delete) { $ids[] = mysql_real_escape_string(strip_tags($delete)); } mysql_query("DELETE FROM photos WHERE images_ID IN (".implode(',',$ids).")");; echo "Record Deleted."; } Everything is ok, only want to know if this can be attacked thats all.. Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347315 Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Well, are you here? I posted the full codes Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347322 Share on other sites More sharing options...
Jessica Posted May 21, 2012 Share Posted May 21, 2012 Again, if you're expecting an integer, just cast it as an integer. You don't need to do anything else with it. By the way, this is not help on demand. Not getting a reply within 20 minutes is not a reason to bump the thread. Most of us have jobs and families, and I am caring for my 6 month old son while working. The rule on this forum is no bumping threads. Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347427 Share on other sites More sharing options...
darkfreaks Posted May 22, 2012 Share Posted May 22, 2012 i ran that section of code through pixybox SQLI and XSS scanner it came up with nothing not to say the rest of your code is the same way. Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347479 Share on other sites More sharing options...
angelali Posted May 22, 2012 Author Share Posted May 22, 2012 I'm sorry guys for asking two times for answers... @DarkFreaks, so if nothing has happened, then I think its secure... Thank you guys... Link to comment https://forums.phpfreaks.com/topic/262873-sql-injection-and-xss-attack-on-checkbox/#findComment-1347505 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.