Search
Left Quote    Black holes are where God divided by zero.
- Steven Wright    
Right Quote
 
[login] | [Register]
Forum Index » PHP and mySQL » Viewing Topic and Replies
Post Reply


        Viewing Topic: Database input/display question...
  This user is offline  David1159
  Subject: "Database input/display question..." Posted: @ 6:10 am on Aug 22 2008   

Member #: 526
Rank: User - (81)
Since: 12/27/07
Posts: 81
From: usa

More directed towards bs0d due to his forum coding, others can answer. All inputs... textareas, input type text... can be used to hack into a database. I've thought about replacing key symbols <,$,#,^,etc with blanks. But I've noticed people post stuff here like <BR> and it appears as such, it doesn't execute its html code in the post, rather it displays <BR>.

I have strip_tags() now, but it isn't optimal for a user. I've tried filters, htmlspecialchar s, etc.

If anyone does have a answer, can I get a explanation why/how?




Coding is simply CST... Combining $hit Together. We make different $hit to run in unison correctly.
    Viewed: 5,655 Times | Reply to This | To top
  This user is offline  misterhaan
  Subject: "re: Database input/display question..." Posted: @ 3:04 pm on Aug 22 2008    

Member #: 5
Rank: User - (213)
Since: 02/11/05
Posts: 148
From: chair

i always do addslashes(html specialchars($i nput)) before putting it into a database query, and also make sure to quote the value in the query.

htmlspecialchar s i believe handles <, >, &, and " by turning them into &lt; &gt; &amp; and &quot; so it




please note that the above post is likely made up in its entirety.

    Viewed: 5,648 Times | Reply to This | To top
  This user is offline  David1159
  Subject: "re: Database input/display question..." Posted: @ 6:22 am on Aug 27 2008    

Member #: 526
Rank: User - (81)
Since: 12/27/07
Posts: 81
From: usa

I did a test with htmlspecialchar s in the past. When I display the text, it shows &lt; &gt; &amp; &quot; rather than < > ".

As to the addslash and stripslash, thank you. I've been wanting a exact answer on that for sometime, never could get it. I start my classes at college next week, I learned on my own so far, so I never could ask a professor.

Currently I have before any updates or inserts into my database. I have it remove tags(script,inp ut,textarea,etc ) and all harmful characters (such as -- and $ and more). Like I said, it isn't a good system for a user who wants to use the dollar sign for money. I used a lot of strings to weed out hacking.

That is something else I'd like to ask.

I've seen many times in the tuts here, this method to verify inputs.

Code:


$total_page_len = strlen($_GET[' u']);
$_GET['u'] = str_replace($ar r, '', $_GET['u']);< br /> $verify_total_p age = $_GET['u']; if(strlen($veri fy_total_page) != $total_page_len ) {
die('ERROR IN U!');
}



Why not use this, it is half the code.

Code:

str_ireplace($a rr, '', $_GET['u'], $count);
if($count > 0) die('ERROR IN U!');



It does the same thing, strlen is really pointless. Unless my method uses more resources in the long run, than I can understand, but it way easier.




Coding is simply CST... Combining $hit Together. We make different $hit to run in unison correctly.

    Viewed: 5,615 Times | Reply to This | To top
  This user is offline  misterhaan
  Subject: "re: Database input/display question..." Posted: @ 2:24 pm on Aug 27 2008    

Member #: 5
Rank: User - (213)
Since: 02/11/05
Posts: 148
From: chair

  David1159 said...

< i> I did a test with htmlspecialchar s in the past. When I display the text, it shows &lt; &gt; &amp; &quot; rather than < > ".

that sounds like you




please note that the above post is likely made up in its entirety.

    Viewed: 5,605 Times | Reply to This | To top
Viewing Page: 1 of 1


1 |

You must be logged in to post on the forums. Login or Register








"AllSyntax.com" Copyright © 2002-2018; All rights lefted, all lefts righted.
Privacy Policy  |  Internet Rank