Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I'm a super noob at php.. like, just started programming with it about a week ago. I had some help with this, but anyways.. All it is, an HTML form send's POST data to my php page, and the page stores it in mySQL database. The database then displays the user's message on a seperate page. The user's IP is also logged incase someone is to abuse the system.. Does the code properlyprotect form SQL injections?
***** PLEASE USE THE PHP TAG FOR PHP CODE AND DO NOT POST PASSWORDS *****
feyd:~ feyd$ php -r "stripslashes(array('foo','bar')); echo PHP_EOL;"
PHP Notice: Array to string conversion in Command line code on line 1
<span style=color:red>
Notice: Array to string conversion in Command line code on line 1
</span>
The same will happen in your file if data other than scalars are given, except the full path will be disclosed where you see "Command line."
REMOTE_ADDR might not always be set. And, since it's vulnerable to changing by the end user, running it through mysql_real_escape_string() probably wouldn't be a bad idea.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
REMOTE_ADDR might not always be set. And, since it's vulnerable to changing by the end user, running it through mysql_real_escape_string() probably wouldn't be a bad idea.
Thanks much :]
and @feyd, How exactly do i fix that..?
Here's my current code, I added a row to my table and fixed what scottayy pointed out.
Here's a function I've written that will accomplish what you need. Probably is better to use a non-recursive function though.
..how would I be able to manipulate that into my code? Do i just put that in exactly as it is, then replace "mysql_real_escape_string(" with "stripslashes_recursive("?
You two are telling me to do different things lol. What's the difference between what Jcart wants me to do and what you're telling me to do? They both do the same things and are both secure, right?
Last edited by Darkzero on Sat Oct 27, 2007 10:41 pm, edited 1 time in total.
Here's a function I've written that will accomplish what you need. Probably is better to use a non-recursive function though.
..how would I be able to manipulate that into my code? Do i just put that in exactly as it is, then replace "mysql_real_escape_string(" with "stripslashes_recursive("?
You simply add the function to your script and change
scottayy wrote:REMOTE_ADDR might not always be set. And, since it's vulnerable to changing by the end user, running it through mysql_real_escape_string() probably wouldn't be a bad idea.
No, it's not. It always contains the IP address of the client/proxy. But passing it through escaping anyway is a good idea indeed
feyd, it would be good to have a definitive solution to point to for this -- as this question comes up often. I searched and couldn't find yours. Is yours or jmut's a better implementation?