Page 1 of 1
Escape user input
Posted: Sat Mar 24, 2007 11:44 am
by user___
Hi guys,
I have developed a function which escaped ta user input after it is parsed in a variable which contain the whole query. After I have browsed through some of the topics here I found out I was wrong.
Am I right that this lacks security at all?
Posted: Sat Mar 24, 2007 11:46 am
by John Cartwright
Without seeing the code it's dificult to say, but it sounds like your trying to escape the whole query (only the variable should be escaped)
Reply
Posted: Sat Mar 24, 2007 11:58 am
by user___
Yes, I do escape the whole query. So I have to rewrite it to escape only the input.
Something like this:
Code: Select all
function esc($sql) {
//Here is the escape
return $sql;
}
mysql_query(esc($sql));
Thank you.
Posted: Sat Mar 24, 2007 12:20 pm
by John Cartwright
more along the lines of
Code: Select all
$username = isset($_POST['username']) ? mysql_real_escape_string($_POST['username']) : '';
$password = isset($_POST['password']) ? mysql_real_escape_string($_POST['password']) : '';
// SELECT * FROM `bleh` WHERE `user` = '$username' and `pass` = '$password'
Like I said,
do not escape the
whole query
Reply
Posted: Sat Mar 24, 2007 12:51 pm
by user___
Thank you man.
Re: Reply
Posted: Sat Mar 24, 2007 12:55 pm
by John Cartwright
user___ wrote:Thank you man.
My pleasure