Menu
Community /Pin to ProfileBookmark
@NogDogAug 20.2009 — #The database couldn't care less about XSS, as all it does is store data. (OK, it does other stuff with the data, but you know what I mean.)
So from the standpoint of SQL injection, XSS is a non-issue. It [i]is[/i] an issue, however, if/when you want to retrieve any of the data and display it to the user's browser. So it is something to consider when validating/filtering user inputs, and also when escaping output to the browser. (See strip_tags(), htmlspecialchars(), and htmlentities() for various approaches. Which approach is correct is dependent on each specific situation.)@NogDogAug 20.2009 — #PS: With regards to SQL injection, assuming you are running PHP5.0 or later (and if not, [i]why[/i]?), you should consider moving up to the MySQL[b]i[/b] extension or a database abstraction layer such as PDO, and make use of prepared statements for your queries. Besides other advantages of using these extensions, the use of prepared statements with bound parameters [i]forces[/i] the correct escaping of inputs (assuming you use bound parameters for all external inputs).@NogDogAug 22.2009 — #
Besides the fact that PHP5 has been out for over 5 years now, it is now over a year since the PHP development team ceased supporting PHP4 in any manner, [i]including security patches[/i]. Any web host that does not provide PHP5 - and prefereably keeps up to date with the latest releases so that security fixes are included - is doing you a disservice both in terms of functionality and security. If nothing else, it is easy to provide [i]both[/i] PHP4 and PHP5 by running one as an Apache module and one in CGI mode (requiring that one or the other use a different file name suffix, such as ".php4" for PHP4 and ".php" for PHP5.
So frankly, if your web hosting company does not support PHP5 and will not add support for it when you ask nicely, then it's time to move to another hosting company that knows what it's doing.
MySQL Injection in PHP
I am almost positive i have properly protected myself against mysql injections but I would like someone who knows better than I if I actually am protected or if its a facade. Thank you for your help.
[code=php]<?php
include(“include/constants.php”);
$var = @$_GET[‘query’] ;
$trimmed = trim($var); //trim whitespace from the stored variable
// check for an empty string and display a message.
if ($trimmed == “”)
{
include(“s.php”);
echo “<p>Please enter a search…</p>”;
echo “<p><a href=”main.php”>Home</a></p>”;
exit;
}
$connect = mysql_connect(DB_SERVER, DB_USER, DB_PASS);
$query = mysql_real_escape_string($trimmed);
if (!($connect)) // If no connect, error and exit().
{
echo(“<p>Unable to connect to the database server.</p>”);
exit();
}
if (!(mysql_select_db(DB_NAME))) // If can’t connect to database, error and exit().
{
echo(“<p>Unable to locate the database.</p>”);
exit();
}
if (!($limit)){
$limit = 500;} // Default results per-page.
if (!($page)){
$page = 0;} // Default page value.
$numresults = mysql_query(“SELECT * FROM projects WHERE projectassigned LIKE ‘%”. $query .”%’ order by opclo DESC”); // the query.
// More code but its omitted for post length.
?>
Sign in
to post a comment7 Comments(s) ↴
0
@NogDogAug 20.2009 — #The database couldn't care less about XSS, as all it does is store data. (OK, it does other stuff with the data, but you know what I mean.)So from the standpoint of SQL injection, XSS is a non-issue. It [i]is[/i] an issue, however, if/when you want to retrieve any of the data and display it to the user's browser. So it is something to consider when validating/filtering user inputs, and also when escaping output to the browser. (See strip_tags(), htmlspecialchars(), and htmlentities() for various approaches. Which approach is correct is dependent on each specific situation.)
0
@NogDogAug 20.2009 — #PS: With regards to SQL injection, assuming you are running PHP5.0 or later (and if not, [i]why[/i]?), you should consider moving up to the MySQL[b]i[/b] extension or a database abstraction layer such as PDO, and make use of prepared statements for your queries. Besides other advantages of using these extensions, the use of prepared statements with bound parameters [i]forces[/i] the correct escaping of inputs (assuming you use bound parameters for all external inputs).0
@NogDogAug 22.2009 — #If you are on a web hosts server... even if its dedicated one... you do not get any access to that side of the box. The only time people have access to the server settings beyond a CP is where they are a company hosting their own servers or the web host is hosting the companys own hardware.[/QUOTE]
Besides the fact that PHP5 has been out for over 5 years now, it is now over a year since the PHP development team ceased supporting PHP4 in any manner, [i]including security patches[/i]. Any web host that does not provide PHP5 - and prefereably keeps up to date with the latest releases so that security fixes are included - is doing you a disservice both in terms of functionality and security. If nothing else, it is easy to provide [i]both[/i] PHP4 and PHP5 by running one as an Apache module and one in CGI mode (requiring that one or the other use a different file name suffix, such as ".php4" for PHP4 and ".php" for PHP5.
So frankly, if your web hosting company does not support PHP5 and will not add support for it when you ask nicely, then it's time to move to another hosting company that knows what it's doing.