DiscussWorldIssues - Socio-Economic Religion and Political Uncensored Debate - View Single Post

**Terinalo** · 08-14-2009, 09:57 PM

You're just making it yourself difficult to follow the code
PHP Code: $username = mysql_real_escape_string( $input );
$result = mysql_query( "SELECT id FROM users WHERE username = '$username'" );

The strip_tags() is useless with regards to sanitizing the input before sending it to the database. HTML, XML, PHP tags, etc. can do no harm there because the query parser won't understand the tags, they're just strings for the parser.

The strtolower() could be needed in some cases (ie if you force usernames to be lowercase), but it's certainly not needed to sanitize input. SQL statements don't need to be uppercase, we just write them that way for clarity reasons only.

And then all str_replace() calls are done with one single mysql_real_escape_string(). That functions asks the mysql library to escape all "dangerous" characters, you can't do it any better yourself. If the MySQL team decides to add a character somewhere, they'll update the library and your code will be fine without the need for any changes. Added bonus: this function is binary safe so it can be used to sanitize binary data (ie an image) that goes to the database.
NOTE: mysql_real_escape_string() needs an open database connection! If you have multiple connections, you can pass the correct one as an optional second parameter. In turn it will do the escaping correct for any character set you might be using.

Don't think you're safe now, because this really is just part 1. Oh, just for the record, there is an alternative where you don't need to escape any data at all. If you work with bound parameters, you are not vulnerable to sql injections at all. But that's a more advanced topic. Ok Thank you. Ive added mysql_real_escape_string($input) to everwhere ive used a $_GET or $_POST just to be safe.

Now I supose is the difficult part, how do I get users to come to my site? ive added it to google and yahoo but im pretty sure the only hits im geting are me and users from this forum...

08-14-2009, 09:57 PM	#21
Terinalo Join Date Oct 2005 Posts 471 Senior Member	You're just making it yourself difficult to follow the code PHP Code: $username = mysql_real_escape_string( $input ); $result = mysql_query( "SELECT id FROM users WHERE username = '$username'" ); The strip_tags() is useless with regards to sanitizing the input before sending it to the database. HTML, XML, PHP tags, etc. can do no harm there because the query parser won't understand the tags, they're just strings for the parser. The strtolower() could be needed in some cases (ie if you force usernames to be lowercase), but it's certainly not needed to sanitize input. SQL statements don't need to be uppercase, we just write them that way for clarity reasons only. And then all str_replace() calls are done with one single mysql_real_escape_string(). That functions asks the mysql library to escape all "dangerous" characters, you can't do it any better yourself. If the MySQL team decides to add a character somewhere, they'll update the library and your code will be fine without the need for any changes. Added bonus: this function is binary safe so it can be used to sanitize binary data (ie an image) that goes to the database. NOTE: mysql_real_escape_string() needs an open database connection! If you have multiple connections, you can pass the correct one as an optional second parameter. In turn it will do the escaping correct for any character set you might be using. Don't think you're safe now, because this really is just part 1. Oh, just for the record, there is an alternative where you don't need to escape any data at all. If you work with bound parameters, you are not vulnerable to sql injections at all. But that's a more advanced topic. Ok Thank you. Ive added mysql_real_escape_string($input) to everwhere ive used a $_GET or $_POST just to be safe. Now I supose is the difficult part, how do I get users to come to my site? ive added it to google and yahoo but im pretty sure the only hits im geting are me and users from this forum...
	Quote