variable passing

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

variable passing

Post by s.dot »

Do ALL variables at least need to be passed through mysql_real_escape_string, even if they client side user doesn't know their passing a variable.

For example, deleting a picture sends the id number of a picture to be deleted. Should this be passed through mysql_real_escape_string?

I'm having trouble knowing which variables need to be "purified" before being processed by PHP or MySQL.
User avatar
smpdawg
Forum Contributor
Posts: 292
Joined: Thu Jan 27, 2005 3:10 pm
Location: Houston, TX
Contact:

Post by smpdawg »

Absolutely. Never trust any data that can come back from the client. That means GET, POST, URL, etc. Filter them all and you'll reduce your risk.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

Okay quick question
since I have all of my variables already set, and didn't code much security when I first coded, what if I name the new secure variable the same name as the old variable.. will it take precedence over the old?

For Example:

Code: Select all

$variable = mysql_real_escape_string(strip_tags($variable));

// code containing a bunch of $variable here //
Which will take precedence?

Because if I have to rename all of my variables... well let's just say it'd take a long time.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

it will escape the stripped tags... so strip tags will come first, I believe.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

no I mean which $variable will be used in the code

the $variable that has been passed thru mysql_real_escape_string or the unclean $variable
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Not sure what you just said.. $variable

but

Code: Select all

$variable = mysql_real_escape_string(strip_tags($variable));
is now "clean"
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

what I'm saying is $variable is the name of the unclean variable

if I use $variable = mysqlblahblahblah($variable) <-- the unclean one in the parenthesis...

will the clean one take precedence or will the code still use the unclean one.. since both variables have the same name
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

The variable becomes clean.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

or you could use prepared statements/ parameter binding....

this way you don't have to call *sql_real_escape_string...
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

what is that?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Post Reply