Page 1 of 1

Escape user input

Posted: Sat Mar 24, 2007 11:44 am
by user___
Hi guys,
I have developed a function which escaped ta user input after it is parsed in a variable which contain the whole query. After I have browsed through some of the topics here I found out I was wrong.

Am I right that this lacks security at all?

Posted: Sat Mar 24, 2007 11:46 am
by John Cartwright
Without seeing the code it's dificult to say, but it sounds like your trying to escape the whole query (only the variable should be escaped)

Reply

Posted: Sat Mar 24, 2007 11:58 am
by user___
Yes, I do escape the whole query. So I have to rewrite it to escape only the input.
Something like this:

Code: Select all

function esc($sql) {
//Here is the escape
return $sql;
}
mysql_query(esc($sql));
Thank you.

Posted: Sat Mar 24, 2007 12:20 pm
by John Cartwright
more along the lines of

Code: Select all

$username = isset($_POST['username']) ? mysql_real_escape_string($_POST['username']) : '';
$password = isset($_POST['password']) ? mysql_real_escape_string($_POST['password']) : '';

// SELECT * FROM `bleh` WHERE `user` = '$username' and `pass` = '$password'
Like I said, do not escape the whole query

Reply

Posted: Sat Mar 24, 2007 12:51 pm
by user___
Thank you man.

Re: Reply

Posted: Sat Mar 24, 2007 12:55 pm
by John Cartwright
user___ wrote:Thank you man.
My pleasure