Jump to content

Security question

xiao

By xiao
in PHP Coding Help

 Share

Recommended Posts

xiao Member

xiao

Posted
Posted

Hi,

 

I currently have a form, and when you submit it validates, I use sessions to remember the inputted data.

If the input is invalid, i use the sessions to print the data back into the form.

 

Is it dangerous to only use mysql_real_escape_string() right before I insert everything in the database?

 

Because right now, when I use mysql_real_escape_string before putting everything into session variables, I get stripped data into my forms when the input is invalid.

 

And if I use stripslashes() before putting everything into session variables, there isn't really a point in escaping them anyway ...

Or is there a better solution?

Link to comment
Share on other sites
revraz Member

revraz

Posted
Posted

I use it  before I compare it to my validation.  Because if it passes your validation, then the real escape string alters the data in any way, then it's possible it no longer conforms to your validation structure.

 

You want it sanitzed before you validate it, then you can insert it.

 

Hi,

 

I currently have a form, and when you submit it validates, I use sessions to remember the inputted data.

If the input is invalid, i use the sessions to print the data back into the form.

 

Is it dangerous to only use mysql_real_escape_string() right before I insert everything in the database?

 

Because right now, when I use mysql_real_escape_string before putting everything into session variables, I get stripped data into my forms when the input is invalid.

 

And if I use stripslashes() before putting everything into session variables, there isn't really a point in escaping them anyway ...

Or is there a better solution?

Link to comment
Share on other sites
xiao Member

xiao

Posted
  • Author
Posted

But how do I unescape it to put it in input fields and textareas then?

 

I use it  before I compare it to my validation.  Because if it passes your validation, then the real escape string alters the data in any way, then it's possible it no longer conforms to your validation structure.

 

You want it sanitzed before you validate it, then you can insert it.

 

@taith:

but PHP states for mysql_real_escape_string() that "This function must always (with few exceptions) be used to make data safe before sending a query to MySQL."

Link to comment
Share on other sites
roopurt18 Advanced Member

roopurt18

Posted
Posted

xiao, unless you're calling header() before redisplaying the form, I'd be curious as to why you're storing the form values in the session to begin with.

 

@revraz

I use it  before I compare it to my validation.  Because if it passes your validation, then the real escape string alters the data in any way, then it's possible it no longer conforms to your validation structure.

 

That logic is incorrect as far as I can tell.  Let's say you have a data field that allows for apostrophes but not backslashes.  If you escape and then validate, your validation will reject any input with a \' which would have been valid input before you escaped.

 

In most cases, I would say it doesn't matter when you do it, but it's safest IMO to escape just prior to entering into the database.

Link to comment
Share on other sites
xiao Member

xiao

Posted
  • Author
Posted

xiao, unless you're calling header() before redisplaying the form, I'd be curious as to why you're storing the form values in the session to begin with.

 

So the user doesn't have to re-enter everything if his passwords for example don't match.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.