PHP/MYSQL Prevent sql injection attacks function -


i want upgrade , make more systematic, protection against sql injection attacks. gather 3 main methods pdo, prepared statements , mysql_escape_string, pdo considered best mysql_escape_string considered adequate if meticulous. don't think ready go pdo or prepared statements have lot of complicated queries involving multiple tables huge task. want make use of mysql_escape_string more programmatic.

rather escape every individual variable users submit, thinking of escape sql commands standard function might require modification handle punctuation sound approach or escaping whole query create problems-i use apostrophes, backticks , %, example. seem standard function every sql statement more systematic , standard variable variable approach. question modifications handle punctuation might needed? also, there else ought go function such htmlspecialchars , strip_tags gather mysql_escape_string not 100% complete?

here basic function.

function safe($sql) { $safesql = mysql_real_escape_string($sql); return $safesql; }

i don't think ready go pdo or prepared statements have lot of complicated queries involving multiple tables huge task.

huge? perhaps. worth effort though.

will escaping whole query create problems

yes. function have no way of knowing if piece of sql injection attack or intended.

you have escape text @ point inserted sql. can't insert text sql , figure out bit sql , bit text afterwards.

is there else ought go function such htmlspecialchars , strip_tags

strip_tags throws data away. wouldn't use it.

both strip_tags , htmlspecialchars offer protection against unsafe data being inserted html document. use them before inserting data html document, not before inserting data sql.


Comments

Post a Comment

Popular posts from this blog

java - Play! framework 2.0: How to display multiple image? -

i need display gallery of photos. here template: @(photos: list[photo]) @title = { <bold>gallery</bold> } @main(title,"photo"){ <ul class="thumbnails"> @for(photo <- photos) { <li class="span3"> <a href="#" class="thumbnail"> <img src="@photo.path" alt=""> </a> </li> } </ul> } and here controller method: public static result getphotos() { return ok(views.html.photo.gallery.render(photo.get())); } and here photo bean : @entity public class photo extends model { @id public long id; @required public string label; public string path; public photo(string path, string label) { this.path = path; this.label = label; } private static finder<long, photo> find = new finder<long, photo>( long.class, photo.class); public static list<phot...
Read more

gmail - Is there any documentation for read-only access to the Google Contacts API? -

i want read-only access user's google contacts. there stackoverflow member wanted this, , received following answer : yes, there is, use https://www.googleapis.com/auth/contacts.readonly scope , "view contacts". this exchange reference read-only access google contacts can find using google. simply using access token obtained attempt read usual google contacts api (i.e. https://www.google.com/m8/feeds ) fails insufficient permissions. similarly, using google contacts api on new target fails 404 errors (for example https://www.googleapis.com/auth/contacts.readonly/default/full ). is there documentation anywhere on how use api, or permissible way access google contacts api full read-write access?
Read more

php - Controller/JToolBar not working in Joomla 2.5 -

relevant code: jtoolbarhelper::custom('savecategories', 'save', '', 'save', false, false); ... <input type="hidden" name="controller" value="easyblogcontroller"> according can dig docs , own previous questions, should call savecategories() function in easyblogcontroller . i've tried setting value easyblog , easyblog.php (file name) current easyblogcontroller (class name). clicking on save button refreshes page. not redirect, echo or var_dump test code put in savecategories() function. var_dump ing jrequest::getvar('controller') , 'task' return correct values. creating controller object , using $controller->execute('task'); works. the values going depend on location of controller trying call, , have couple options here. typically there controller in base folder of component (likely components/com_easyblog) in file called controller.php , class name inside ...
Read more