|
see my response under "what is python's claim to fame?". The only reason not to learn Python is that once you do so much of C# will drive you insane,... that has certainly been my experience
Paul Coldrey
http://www.lumient.com.au/
|
|
|
|
|
Some background: I have taken a few measures to prevent SQL injection on my PHP/MySQL setup (currently WAMP for development, but will be LAMP for production server):
- In my users table, I have entered a "bad" user, with all the fields equal to 0.
- this is the first user in the table
- if a hacker tries to enter ' or ''=' in the uname field:
- (theoretically,) "bad" user will be first result, and
- (theoretically,) # of results will also be greater than 1 (more than 1 user)
- (theoretically,) the following code will prevent said hacker from gaining unauthorized access
- mysql_real_escape_string() function will be used to escape input when site is launched, but right now it is not in use to allow testing of common SQL injection methods.
- I have read that mysql_real_escape_string() has some vulnerabilities.
- I know mysql_real_escape_string() is more secure than addslashes().
<span style="color: green">
<span style="color: blue">$u</span> = <span style="color: blue">$_POST[uname]</span>;
<span style="color: blue">$p</span> = <span style="color: blue">$_POST[pass]</span>;
<span style="color: green">
<span style="color: blue">$query</span> = <span style="color: red">"select uid,uname,fname,lname,email,phone,other,pass from ads.users where uname = '$u'"</span>;
<span style="color: blue">$result</span> = mysql_query(<span style="color: blue">$query</span>);
<span style="color: blue">$rows</span> = mysql_num_rows(<span style="color: blue">$result</span>);
<span style="color: green">
if (<span style="color: blue">$rows</span> > 1) {
<span style="color: green"></span>
die (<span style="color: red">"Error[20]: You have entered potentially harmful input. Security measures have been put in place until this incident can be reviewed."</span>);
}
<span style="color: blue">$record</span> = mysql_fetch_assoc(<span style="color: blue">$result</span>);
<span style="color: blue">$passQuery</span> = <span style="color: red">"select password('$p') = '$result[pass]'"</span>;
if (<span style="color: blue">$rows</span> == 1 && mysql_num_rows(mysql_query(<span style="color: blue">$passQuery</span>))) {
if (<span style="color: blue">$record[uid]</span> == 0) {
<span style="color: green">
die (<span style="color: red">"Error[25]: You have entered input that could be harmful to the site. Security measures have been put in place until this incident can be reviewed."</span>);
}
<span style="color: blue">$l</span> = 1; <span style="color: green">
<span style="color: green">
<span style="color: blue">$_SESSION[uid]</span> = <span style="color: blue">$record[uid]</span>;
<span style="color: blue">$_SESSION[uname]</span> = <span style="color: blue">$record[uname]</span>;
<span style="color: blue">$_SESSION[fname]</span> = <span style="color: blue">$record[fname]</span>;
<span style="color: blue">$_SESSION[lname]</span> = <span style="color: blue">$record[lname]</span>;
<span style="color: blue">$_SESSION[phone]</span> = <span style="color: blue">$record[phone]</span>;
<span style="color: blue">$_SESSION[email]</span> = <span style="color: blue">$record[email]</span>;
} else <span style="color: blue">$loginError</span> .= <span style="color: red">"Error: Invalid username and/or password."</span>;
I dunno... maybe I'm just paranoid... I just want to make sure to CMA to prevent liability problems, since this will be a commercial site.
P.S. I hope the markup helps read my programming - I know my lines tend to be fairly long...
"Silently laughing at silly people is much more satisfying in the long run than rolling around with them in a dusty street, trying to knock out all their teeth. If nothing else, it's better on the clothes." - Belgarath (David Eddings)
|
|
|
|
|
To prevent SQL injection all you need to do is escape and use good validation. Other stuff can be a waste of time.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
I usually use this function to prevent SQL injection, maybe it's useful for you :
function quote_smart($value)
{
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
if (!is_numeric($value))
{
$value = mysql_real_escape_string($value);
}
return $value;
}
Sorry for my English. I'm a freshman .
|
|
|
|
|
Bradml wrote: Other stuff can be a waste of time
Like using parameters instead of inlining?
cheers,
Chris Maunder
CodeProject.com : C++ MVP
|
|
|
|
|
Exactly.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
What level of validation is enough?
I think that using prepared statements with parameters is the safest way, what do you think ?
|
|
|
|
|
SQLi is best handled using the database's native escaping routines and not just relying on addslashes() -- there is actually a way to circumvent addslashes from what I remember.
Filtering is probably a good practice as well.
To avoid escaping, you could just use PDO and prepared statements which handles the escaping for you automagically as well.
I'm finding the only constant in software development is change it self.
|
|
|
|
|
Hi friends.
I usually use Smarty to create templates.
When I wanted to create somethings like this :
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Test</title>
</head>
<body>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
<table>
<tr>
<td> </td>
</tr>
</table>
</body>
</html>
I created three files ( for example Header.tpl , Footer.tpl , Body.tpl )
Header.tpl :
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Test</title>
</head>
<body>
Body.tpl :
<table>
<tr>
<td> </td>
</tr>
</table>
Footer.tpl :
</body>
</html>
Then I wrote this Smarty code in PHP to created above HTML file :
$smarty -> display('Header.tpl');
for ($i=0; $i<=3; $i++)
$smarty -> display('Body.tpl');
$smarty -> display('Footer.tpl');
This way is bad, because designing template is very difficult.
Are there any ways to use Smarty and create above HTML file.
Thanks in advance
Sorry for my English. I'm a freshman .
|
|
|
|
|
Can't you just output the HTML? It doesn't stop normal PHP from working.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
Thanks Bradml.
Bradml wrote: Can't you just output the HTML?
Yes, I can. but I want generate output by SMARTY ! 
Sorry for my English. I'm a freshman .
|
|
|
|
|
.... why? What benefit does that provide?
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
Bradml wrote: What benefit does that provide?
With Smarty you can sift Template through program , so we can change template easily.
Sorry for my English. I'm a freshman .
|
|
|
|
|
Ok, well sorry I haven't really looked into Smarty so I'm not going to be of too much help. Check out the Smarty Forums[^]. They can probably help you out.
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
OK, That's all right. Thanks
Sorry for my English. I'm a freshman .
|
|
|
|
|
I want to place image generating code in my webpage, but it is working fine alone..
But when I implement that code in my webpage it doesn't work..
Mohsin Ali
|
|
|
|
|
Can you tell us what happens? Does it through errors? Can you show us the code?
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
It's hard to say without any code .
Write your code Ali
Sorry for my English. I'm a freshman .
|
|
|
|
|
I want to implement CAPTCHA on a simple web form...
Is there any easy example to implement it..
Mohsin Ali
|
|
|
|
|
|
Nice answer!
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
Hi.
I'm looking for a good PHP IDE. Do you know what PHP IDE is better ?
Sorry for my English. I'm a freshman .
|
|
|
|
|
M using Dreamweaver since last two years.... I also used other IDEs for PHP but found Dreamweaver as the best..
Mohsin Ali
|
|
|
|
|
In my opinion you cannot beat Zend. They make the best IDE out there. Check out their website.[^]
Brad
Australian
The PHP MVP
- Christian Graus on "Best books for VBscript"
A big thick one, so you can whack yourself on the head with it.
|
|
|
|
|
I used zend, its good.............. but damn slow due to java... 
Mohsin Ali
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
