angelali Posted May 21, 2012 Share Posted May 21, 2012 Well, I just want to know, if I add mysql_real_escape_string and strip_tags to a checkbox, does this mean it is 100% protected from SQL injection and XSS attack? For example: <input type=checkbox' name="checkbox"/> $checkbox = mysql_real_escape_string(stip_tags($_POST['checkbox'])); Quote Link to comment Share on other sites More sharing options...
Jessica Posted May 21, 2012 Share Posted May 21, 2012 Your checkbox has no value, so I think it would only return true, in which case you can just cast it as an int and be fine. Quote Link to comment Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Elaborate.... I know it has no value...so does this mean even by applying these security measures, it can be attacked as it returns true? Quote Link to comment Share on other sites More sharing options...
Jessica Posted May 21, 2012 Share Posted May 21, 2012 It means that since you are only expecting either nothing or 1, don't bother stripping tags, etc, just cast it as an int. Quote Link to comment Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Well, to be in brief, I can leave it like this then: $checkbox = mysql_real_escape_string(strip_tags($_POST['checkbox'])); Sorry lol , I'm a bit sleepy today... Quote Link to comment Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Oh no lol, it does hold a value, I mean the checkbox has a value, it has a value from database... Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 21, 2012 Share Posted May 21, 2012 Sql can be injected that contains NO tags or quotes, for which mysql_real_escape_string and strip_tags would have NO affect on, depending on how you are using the value in a query statement. Quote Link to comment Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Jesirose knows this code as she was helping me yesterday.... By the way Jesirose, I successfully solved the problem yesterday.. Here are the codes what Im telling you below: The checkbox: echo '<td><input type="checkbox" name="delete[]" value="'.$row['img_ID'].'"/></td>'; A part of the codes: if (isset($_POST['delete'])) { foreach ($_POST['delete'] as $delete) { $ids[] = mysql_real_escape_string(strip_tags($delete)); } mysql_query("DELETE FROM photos WHERE images_ID IN (".implode(',',$ids).")");; echo "Record Deleted."; } Everything is ok, only want to know if this can be attacked thats all.. Quote Link to comment Share on other sites More sharing options...
angelali Posted May 21, 2012 Author Share Posted May 21, 2012 Well, are you here? I posted the full codes Quote Link to comment Share on other sites More sharing options...
Jessica Posted May 21, 2012 Share Posted May 21, 2012 Again, if you're expecting an integer, just cast it as an integer. You don't need to do anything else with it. By the way, this is not help on demand. Not getting a reply within 20 minutes is not a reason to bump the thread. Most of us have jobs and families, and I am caring for my 6 month old son while working. The rule on this forum is no bumping threads. Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted May 22, 2012 Share Posted May 22, 2012 i ran that section of code through pixybox SQLI and XSS scanner it came up with nothing not to say the rest of your code is the same way. Quote Link to comment Share on other sites More sharing options...
angelali Posted May 22, 2012 Author Share Posted May 22, 2012 I'm sorry guys for asking two times for answers... @DarkFreaks, so if nothing has happened, then I think its secure... Thank you guys... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.