Page 1 of 1
variable passing
Posted: Wed Mar 02, 2005 6:24 pm
by s.dot
Do ALL variables at least need to be passed through mysql_real_escape_string, even if they client side user doesn't know their passing a variable.
For example, deleting a picture sends the id number of a picture to be deleted. Should this be passed through mysql_real_escape_string?
I'm having trouble knowing which variables need to be "purified" before being processed by PHP or MySQL.
Posted: Wed Mar 02, 2005 6:27 pm
by smpdawg
Absolutely. Never trust any data that can come back from the client. That means GET, POST, URL, etc. Filter them all and you'll reduce your risk.
Posted: Wed Mar 02, 2005 6:30 pm
by s.dot
Okay quick question
since I have all of my variables already set, and didn't code much security when I first coded, what if I name the new secure variable the same name as the old variable.. will it take precedence over the old?
For Example:
Code: Select all
$variable = mysql_real_escape_string(strip_tags($variable));
// code containing a bunch of $variable here //
Which will take precedence?
Because if I have to rename all of my variables... well let's just say it'd take a long time.
Posted: Wed Mar 02, 2005 6:43 pm
by John Cartwright
it will escape the stripped tags... so strip tags will come first, I believe.
Posted: Wed Mar 02, 2005 7:33 pm
by s.dot
no I mean which $variable will be used in the code
the $variable that has been passed thru mysql_real_escape_string or the unclean $variable
Posted: Wed Mar 02, 2005 7:35 pm
by John Cartwright
Not sure what you just said.. $variable
but
Code: Select all
$variable = mysql_real_escape_string(strip_tags($variable));
is now "clean"
Posted: Wed Mar 02, 2005 7:57 pm
by s.dot
what I'm saying is $variable is the name of the unclean variable
if I use $variable = mysqlblahblahblah($variable) <-- the unclean one in the parenthesis...
will the clean one take precedence or will the code still use the unclean one.. since both variables have the same name
Posted: Wed Mar 02, 2005 8:04 pm
by John Cartwright
The variable becomes clean.
Posted: Wed Mar 02, 2005 8:42 pm
by timvw
or you could use prepared statements/ parameter binding....
this way you don't have to call *sql_real_escape_string...
Posted: Wed Mar 02, 2005 10:20 pm
by s.dot
what is that?
Posted: Thu Mar 03, 2005 4:59 am
by timvw