MmmVomit Posted October 1, 2007 Share Posted October 1, 2007 Any data retrieved from an outside source should always be suspect, but what about a data retrieved from your own database? I'm writing the profile page for my website, and I need to display the username and email address. These were filtered before being put into the database. The username was checked for length and invalid characters. The email address was checked against a regex for email addresses. Do you think it's necessary to re-filter this data, before using it? If so, how rigorous should I be? Of course, I will escape everything before output (htmlentities(), mysql_real_escape_string(), etc.) Quote Link to comment Share on other sites More sharing options...
trq Posted October 1, 2007 Share Posted October 1, 2007 Do you think it's necessary to re-filter this data, before using it? If so, how rigorous should I be? Of course, I will escape everything before output (htmlentities(), mysql_real_escape_string(), etc.) Why would you need to? If the data was checked when it was entered it still will be fine. Also, there isn't ever a need to escape data when retrieving from the database. You need only escape data when using it within queries. Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 1, 2007 Author Share Posted October 1, 2007 Do you think it's necessary to re-filter this data, before using it? If so, how rigorous should I be? Of course, I will escape everything before output (htmlentities(), mysql_real_escape_string(), etc.) Why would you need to? If the data was checked when it was entered it still will be fine. In theory, there could be multiple parts of the application that update the same information. I would need to be sure that all of these inputs to the database are filtered correctly to then trust data retrieved from the database. Also, if somone were to somehow circumvent my filters, say, by gaining direct access to the database, then there would be no controls on this data at all. Unlikely, yes, but not to be dismissed out of hand. I'm thinking I should just run the username and email addresses through their respective regexes, and if those pass, trust them. Also, there isn't ever a need to escape data when retrieving from the database. You need only escape data when using it within queries. Right. I was saying that I would escape any data retrieved from the database before using it as output. For example, if I retrieve an email address from the database, I'll run it through htmlentities() before displaying it on the screen, or through mysql_real_escape_string() before using it in another query. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted October 1, 2007 Share Posted October 1, 2007 If you're checking it as it goes in, then theoretically you shouldn't have to check it as it comes out. If your database were directly compromised, as in someone were able to connect to it and insert whatever they wanted, then if you don't filter the data as it comes out it will affect your users. To what extent it harms them depends on what is placed in the database. I still wouldn't filter data as it came back out in most applications though. If you know for a fact that your code filters everything that goes in and somehow Javascript is coming back out, that's a pretty clear sign that something somewhere is insecure. Had you again filtered the output you would never know someone had direct access to your database. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted October 1, 2007 Share Posted October 1, 2007 In theory, there could be multiple parts of the application that update the same information. I would need to be sure that all of these inputs to the database are filtered correctly to then trust data retrieved from the database. This is where a standardized set of update and insert functions comes in handy. Write the code once and then call it from anywhere. Quote Link to comment Share on other sites More sharing options...
MmmVomit Posted October 1, 2007 Author Share Posted October 1, 2007 I still wouldn't filter data as it came back out in most applications though. If you know for a fact that your code filters everything that goes in and somehow Javascript is coming back out, that's a pretty clear sign that something somewhere is insecure. Had you again filtered the output you would never know someone had direct access to your database. Not true. If a piece of data retrieved from the database does not pass the filter, I can throw up some sort of flag to let me know. I'm just trying to decide how paranoid I should be. For example: // get data from database if(filter($data_from_database)) { // use data } else { // log an error, or trigger some other mechanism to notify admin } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.