Page 2 of 2 First 12
  • Jump to page:
    #16
  1. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    We already had this discussion, if I remember correctly.

    Always store the original, unaltered data, not some "pre-escaped" stuff.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  2. #17
  3. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4124
    Protect for the medium into which you're injecting into:

    Code:
    PHP injecting into a database:
    +------------+                             +----------+
    | User Input |--->(prepared statements)--->| Database |
    +------------+                             +----------+
    
    PHP injecting into a webpage
    +------------+                             +---------+
    | User Input |------>(html entities)------>| Webpage |
    +------------+                             +---------+
    
    PHP injecting into a database:                         * reading from datatabase and injecting into webpage
    +------------+                             +----------+                       +---------+
    | User Input |--->(prepared statements)--->| Database |--->(html escaping)--->| Webpage |
    +------------+                             +----------+                       +---------+
    some people also allow the storing of scripts in their database. eg storing php scripts and then using exec.....I don't know how to make something like this secure, so I'd never let it happen. Sure, I could let someone store some code in a 'notes' field, but I have to make sure that this never gets interpreted and executed as if it was the language it was written in.

    For example, this is a PHP forum, we all store PHP code in devshed's database - but i's never interpreted as PHP - it is assumed to be content for an HTML page and will go through an html escaping function before being output (also the [ php ] tags help by wrapping keywords in styled spans, etc)

    Although not a common scenario for most on this forum there are cases where the language used to read from the database and display the results is different from the language used to store the data - for example your php+html forms may be used to collect user data and store in MySQL....another developer working on another arm of your project may use (C/Java/Pyton/Ruby) to query your mysql database and use the data for another part of the website or might assume that there is valid xml and parse it, strip the html tags for a document excerpt, build reports, speadsheets etc etc etc
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  4. #18
  5. No Profile Picture
    Dazed&Confused
    Devshed Novice (500 - 999 posts)

    Join Date
    Jun 2002
    Location
    Tempe, AZ
    Posts
    506
    Rep Power
    128
    Originally Posted by zxcvbnm
    About storing these characters into the database.

    I guess it be right to store into database without HTML escaping and HTML escape only when printing. No harm could come from storing html tags into the database.

    I have seen both. I have seen wome phpmyadmin databases where they strore as escaped and some not escaped.
    You probably wouldn't want to store escaped content in a database. That'll make it hard to deal with programmatically, and if you output it again with escaping, it'll be double-escaped.
    LinkedIn: Dave Mittner
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo