From: Karl DeSaulniers on

On Aug 23, 2010, at 10:35 PM, Chris wrote:

>
>> Just to make sure, cause I am ready to get past this.
>> Is this correct?
>>
>> function confirmUP($username, $password){
>> /* Verify that user is in database */
>> $q = "SELECT password FROM ".TBL_USERS." WHERE username =
>> '".mysql_real_escape_string($username)."'";
>
> Perfect.
>
>> /* Retrieve password from result */
>> $dbarray = mysql_fetch_array($result);
>> $dbarray['password'] = htmlspecialchars($dbarray['password']); //
>> Or is
>> this where I need to leave htmlspecialchars off too?
>
> Leave it off.
>
> You're not displaying $dbarray['password'] here - so you don't need
> to use htmlspecialchars.
>
> --
> Postgresql & php tutorials
> http://www.designmagick.com/
>
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


Got it. So only when I am going to diplay the result from the
database. I see.
But for comparing $dbarray['password'] to $password, don't I have to
escape $password and then md5 it?
TIA


Karl DeSaulniers
Design Drumm
http://designdrumm.com

@david.lopez: Your emails are getting blocked by my isp, so I have
not seen any of your emails. Not ignoring you, promise.
From: Chris on

> Got it. So only when I am going to diplay the result from the database.
> I see.

Or email (or otherwise present it to the user), yes.

> But for comparing $dbarray['password'] to $password, don't I have to
> escape $password and then md5 it?

Right.

--
Postgresql & php tutorials
http://www.designmagick.com/

From: Karl DeSaulniers on

On Aug 23, 2010, at 11:38 PM, Karl DeSaulniers wrote:

>
> On Aug 23, 2010, at 10:35 PM, Chris wrote:
>
>>
>>> Just to make sure, cause I am ready to get past this.
>>> Is this correct?
>>>
>>> function confirmUP($username, $password){
>>> /* Verify that user is in database */
>>> $q = "SELECT password FROM ".TBL_USERS." WHERE username =
>>> '".mysql_real_escape_string($username)."'";
>>
>> Perfect.
>>
>>> /* Retrieve password from result */
>>> $dbarray = mysql_fetch_array($result);
>>> $dbarray['password'] = htmlspecialchars($dbarray['password']); //
>>> Or is
>>> this where I need to leave htmlspecialchars off too?
>>
>> Leave it off.
>>
>> You're not displaying $dbarray['password'] here - so you don't
>> need to use htmlspecialchars.
>>
>> --
>> Postgresql & php tutorials
>> http://www.designmagick.com/
>>
>>
>> --
>> PHP Database Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>
> Got it. So only when I am going to diplay the result from the
> database. I see.
> But for comparing $dbarray['password'] to $password, don't I have
> to escape $password and then md5 it?
> TIA
>
>
> Karl DeSaulniers
> Design Drumm
> http://designdrumm.com
>
> @david.lopez: Your emails are getting blocked by my isp, so I have
> not seen any of your emails. Not ignoring you, promise.
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>


In the case that your comparing a field to a field in the database
(the field name)
do you escape that or because it is hardcoded you dont need to?
My thoughts are that you need to escape all data going in.
But I do not know if it will match.

EG:

/**
* updateProduct */
function updateProduct($ProductName, $field, $value){
$q = "UPDATE ".TBL_PRODUCTS." SET ".$field." =
'".mysql_real_escape_string($value)."' WHERE ProductName =
'".mysql_real_escape_string($ProductName)."'";
return $this->query($q);
}

Do I escape $field? mysql_real_escape_string($field)?
$field is not a user entered value, but should I escape to block hacks?
If $field = "username", will mysql_real_escape_string($field) match?
My thoughts are yes because there are no special character in my
hardcode
and if there was an attempt to do an injection with this var, it
would catch it.
am I on the right path with my thoughts?
TIA

Karl DeSaulniers
Design Drumm
http://designdrumm.com

From: Chris on
>
> In the case that your comparing a field to a field in the database (the
> field name)
> do you escape that or because it is hardcoded you dont need to?
> My thoughts are that you need to escape all data going in.

Correct. A field name is not data though. You've already validated it
(somehow, either by hardcoding it, or checking it against field names to
make sure it's a proper field and doesn't contain weird chars).

> But I do not know if it will match.
>
> EG:
>
> /**
> * updateProduct */
> function updateProduct($ProductName, $field, $value){
> $q = "UPDATE ".TBL_PRODUCTS." SET ".$field." =
> '".mysql_real_escape_string($value)."' WHERE ProductName =
> '".mysql_real_escape_string($ProductName)."'";
> return $this->query($q);
> }
>
> Do I escape $field? mysql_real_escape_string($field)?

You can only escape data, not field or table (or database) names.

--
Postgresql & php tutorials
http://www.designmagick.com/

First  |  Prev  | 
Pages: 1 2 3 4
Prev: CURDATE
Next: PgWest 2010 CFP (second call)