php - mysql_real_escape_string and html_special_chars enough? -

-


php - mysql_real_escape_string and html_special_chars enough? -

this question gets asked lot, still haven't found straight reply on stackoverflow. these 2 functions sufficient or not? there lot of contradictory comments around net "yes fine?, "no, never utilize it". others say, utilize pdo, don't understand. i'm beginner php, don't understand of ins , outs of security. i've tried reading , understanding following, many don't create much sense me.

http://ha.ckers.org/xss.html do htmlspecialchars , mysql_real_escape_string maintain php code safe injection?

what if utilize preg_replace strip unwanted characters?

i'm incredibly confused , don't know start.

edit: please recommend how go understanding prepared statements (assuming best option).

sam, if storing input in database, avoid sql injection , xss 2 functions enough. if storing passwords, must encrypt passwords one-way encryption (that can not decrypted).

let me expand answer: first of all, sql injection method malicious user effort modify sql statement create will. example, let's have login form. inserting 1 of next values un-protected form, able log first business relationship without knowing username or password:

' or 1=1 --

there many versions of above injection. let's examine sql executed on database:

the php: mysql_query("select * users username='" . $username."' , password='" . $password . "';");

when above executed, next sql sent database:

select * users username='' or 1=1-- ' , password='' or 1=1--';

the effective part of sql this: select * users username='' or 1=1

as double dash (with space afterwards) comment, removing rest of statement.

now gives malicious user access. utilize of escaping function such mysql_real_escape_string, can escape content next sent database:

select * users username='\' or 1=1-- ' , password='\' or 1=1--';

that escapes quotes, making intended strings, - strings.

now let's view xss. malicious user alter layout of page. known xss attack facespace attack on facebook in 2005. involves inserting raw html forms. database save raw html , displayed users. malicious user insert javascript utilize of script tag, javascript can do!

this escaped converting < , > <l; , > respectively. utilize html_special_chars function this.

this should plenty secure normal content on site. passwords different story.

for passwords, must encrypt password. advisable utilize php's crypt function this.

however, 1 time password encrypted , saved in database encypted password, how can decrypt check correct? easy reply - don't decrypt it. hint: password encrypts same value.

were thinking 'we can encrypt password when user logs in , check against 1 in database', correct...

php security sql-injection code-injection

Comments

Post a Comment

Popular posts from this blog

How do I check if an insert was successful with MySQLdb in Python? -

-
How do I check if an insert was successful with MySQLdb in Python? - i have code: cursor = conn.cursor() cursor.execute(("insert new_files (videos_id, filename, " "is_processing) values (%s,%s,1)"), (id, filename)) logging.warn("%d", cursor.rowcount) if (cursor.rowcount == 1): logging.info("inserted values %d, %s", id, filename) else: logging.warn("failed insert values %d, %s", id, filename) cursor.close() fun is, cursor.rowcount always one, though updated database create videos_id unique key. is, insert fails because in tests same videos_id going appear (and when check database, nil inserted). whatever reason, rowcount 1 - logging.warn have spits out rowcount of 1. so, question: can utilize rowcount work out if insert went fine? if so, (presumably) doing wrong? otherwise, how check if insert went fine? your code not commit after modifications (your modifications rolled back). should...
Read more

delphi - blogger via idHTTP : error 400 bad request -

-
delphi - blogger via idHTTP : error 400 bad request - i'm trying post blogger using idhttp component, however, i'm getting "http/1.0 400 bad request" error. procedure tform1.button1click(sender: tobject); var request,response,req : tstringlist; auth,blogid : string; begin blogid := '00000000000000000000000'; request := tstringlist.create; response := tstringlist.create; req := tstringlist.create; idhttp1.request.connection := 'keep-alive'; idhttp1.request.contenttype := 'application/x-www-form-urlencoded'; idssliohandlersocket1.ssloptions.method := sslvsslv23; request.clear(); request.values['accounttype'] := 'google'; request.values['email'] := 'xxx@gmail.com'; request.values['passwd'] := 'yyy'; request.values['service'] := 'blogger'; response.text :=idhttp1.post('https://www.google.com/accounts/clientlogin',request); auth := resp...
Read more

postgresql - ERROR: operator is not unique: unknown + unknown -

-
postgresql - ERROR: operator is not unique: unknown + unknown - i have postgis database , have compute new values rows in new column. these values should average of values of several columns. query: insert bdps (da_m) values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7')); in query bdps database, da_m new column , da_1 da_7 existing columns have double precision type. da_m created using alter table bdps add together column da_m double precision; i next error: error: operator not unique: unknown + unknown line 2: values (avg('da_1'+'da_2'+'da_3'+'da_4'+'da_5'+'da_6'+'da_7... ^ hint: not take best candidate operator. might need add together explicit type casts. ********** error ********** error: operator not unique: unknown + unknown sql state: 42725 hint: not take best candidate operator. might need add togethe...
Read more