Page 1 of 1

variable passing

Posted: Wed Mar 02, 2005 6:24 pm
by s.dot
Do ALL variables at least need to be passed through mysql_real_escape_string, even if they client side user doesn't know their passing a variable.

For example, deleting a picture sends the id number of a picture to be deleted. Should this be passed through mysql_real_escape_string?

I'm having trouble knowing which variables need to be "purified" before being processed by PHP or MySQL.

Posted: Wed Mar 02, 2005 6:27 pm
by smpdawg
Absolutely. Never trust any data that can come back from the client. That means GET, POST, URL, etc. Filter them all and you'll reduce your risk.

Posted: Wed Mar 02, 2005 6:30 pm
by s.dot
Okay quick question
since I have all of my variables already set, and didn't code much security when I first coded, what if I name the new secure variable the same name as the old variable.. will it take precedence over the old?

For Example:

Code: Select all

$variable = mysql_real_escape_string(strip_tags($variable));

// code containing a bunch of $variable here //
Which will take precedence?

Because if I have to rename all of my variables... well let's just say it'd take a long time.

Posted: Wed Mar 02, 2005 6:43 pm
by John Cartwright
it will escape the stripped tags... so strip tags will come first, I believe.

Posted: Wed Mar 02, 2005 7:33 pm
by s.dot
no I mean which $variable will be used in the code

the $variable that has been passed thru mysql_real_escape_string or the unclean $variable

Posted: Wed Mar 02, 2005 7:35 pm
by John Cartwright
Not sure what you just said.. $variable

but

Code: Select all

$variable = mysql_real_escape_string(strip_tags($variable));
is now "clean"

Posted: Wed Mar 02, 2005 7:57 pm
by s.dot
what I'm saying is $variable is the name of the unclean variable

if I use $variable = mysqlblahblahblah($variable) <-- the unclean one in the parenthesis...

will the clean one take precedence or will the code still use the unclean one.. since both variables have the same name

Posted: Wed Mar 02, 2005 8:04 pm
by John Cartwright
The variable becomes clean.

Posted: Wed Mar 02, 2005 8:42 pm
by timvw
or you could use prepared statements/ parameter binding....

this way you don't have to call *sql_real_escape_string...

Posted: Wed Mar 02, 2005 10:20 pm
by s.dot
what is that?

Posted: Thu Mar 03, 2005 4:59 am
by timvw