Security question

[xiao]

Hi,

 

I currently have a form, and when you submit it validates, I use sessions to remember the inputted data.

If the input is invalid, i use the sessions to print the data back into the form.

 

Is it dangerous to only use mysql_real_escape_string() right before I insert everything in the database?

 

Because right now, when I use mysql_real_escape_string before putting everything into session variables, I get stripped data into my forms when the input is invalid.

 

And if I use stripslashes() before putting everything into session variables, there isn't really a point in escaping them anyway ...

Or is there a better solution?

[taith]

many people do use the mysql_real_escape_string()... however, i personally... just use html_entities()... its FAR less problematic :-)

[revraz]

I use it  before I compare it to my validation.  Because if it passes your validation, then the real escape string alters the data in any way, then it's possible it no longer conforms to your validation structure.

 

You want it sanitzed before you validate it, then you can insert it.

 

Hi,

 

I currently have a form, and when you submit it validates, I use sessions to remember the inputted data.

If the input is invalid, i use the sessions to print the data back into the form.

 

Is it dangerous to only use mysql_real_escape_string() right before I insert everything in the database?

 

Because right now, when I use mysql_real_escape_string before putting everything into session variables, I get stripped data into my forms when the input is invalid.

 

And if I use stripslashes() before putting everything into session variables, there isn't really a point in escaping them anyway ...

Or is there a better solution?

[xiao]

But how do I unescape it to put it in input fields and textareas then?

 

I use it  before I compare it to my validation.  Because if it passes your validation, then the real escape string alters the data in any way, then it's possible it no longer conforms to your validation structure.

 

You want it sanitzed before you validate it, then you can insert it.

 

@taith:

but PHP states for mysql_real_escape_string() that "This function must always (with few exceptions) be used to make data safe before sending a query to MySQL."

[roopurt18]

xiao, unless you're calling header() before redisplaying the form, I'd be curious as to why you're storing the form values in the session to begin with.

 

@revraz

I use it  before I compare it to my validation.  Because if it passes your validation, then the real escape string alters the data in any way, then it's possible it no longer conforms to your validation structure.

 

That logic is incorrect as far as I can tell.  Let's say you have a data field that allows for apostrophes but not backslashes.  If you escape and then validate, your validation will reject any input with a \' which would have been valid input before you escaped.

 

In most cases, I would say it doesn't matter when you do it, but it's safest IMO to escape just prior to entering into the database.

[xiao]

xiao, unless you're calling header() before redisplaying the form, I'd be curious as to why you're storing the form values in the session to begin with.

 

So the user doesn't have to re-enter everything if his passwords for example don't match.

[revraz]

I guess it all depends on what you expect in your data.

[xiao]

But if someone uses XSS, and I only use mysql_real_escape_string right before I enter data in the database, the XSS can have effect in the whole process between sending and storing?

[xiao]

*bump*