Hello, bac pol I work for voil two good weeks on a PHP project. The tests are effectus on a free server, so with magic quotes activs. Not knowing if it will be the final server I did the following: function magicquotes ($ txt) {if (get_magic_quotes_gpc bac pol ()) return $ txt; else return addslashes ($ txt); } In short, it is Necessary to make a call between my function on each user? (Heavy put in the code, and not at all optimal for the server) or only in the case of string bac pol concatenation characters? Normally I would say the second, I want to be sr not take a chance. Thank you in advance for your answers
The StripTags are also very useful to improve safety, quickly introducing <script> in the field ... That you can only use it for long enough among like textarea. For quotes, that is avoid injunctions SQL it seems to me, therefore can not be REALLY dangerous when there are enough characters to work, right? I confess myself connatre little hack in question, so other responses intresseront me, but it's what I imagine.
I just am not a specialist in security, so with the quotes is what I risk anything other than SQL injections? Magic quotes for it is advisable to disable, and will not be Introduced in PHP6 even if I'm not mistaken. This is due to a performance bac pol issue, and the fact that people describing PHP scripts rely too much on magic quote ngligeant (or completely ignoring) the security part ... (correct me if I'm wrong) But it does not really move me, is that there is concern anything other than SQL injections?
I have not heard of other SQL injection attacks if it disables the magic quotes by cons it seems to me that a function already exists for empcher: http: // fr2.php.net/m...l_escape_string bac pol It seems to me also that the magic quotes OUTSIDE the characters from a source external situation. You are perfectly right about is apparently php6: http://www.php.net/~...ml#magic-quotes
yes the magic chappent anything external, and which is mysql_real_escape_string I use to protect my dj queries. I was just wondering if I need to protect my avai PHP code instead. Either way but the final server is PHP4 with magic_quotes of activs so I vir my function that does not much used without any fawn.
Scuriser to your website I will advice bac pol to apply htmlspecialchars () on each variable that you rcupres and will be recorded in your db. About SQL injections, it will simply apply a mysql_real_escape_string () on variables rcupres before saving also ...
Hello, I'll try a bit of everything Lighten saw it still seems unclear. For starters take a classic SQL query, made in PHP: $ query = "select name, surname, email from user Where login = '$ bac pol login' and password = '$ password'"; Nothing fancy until l. Now imagine an ugly visitor does not seize a traditional password but something containing apostrophes ... for example: foo 'OR' 1 '=' 1 So we get the query: bac pol select name, surname, email from user Where login = 'foo' and password = 'foo' OR '1' bac pol = '1' And ae has stuck: regardless of the password, the query will return a result. Videment and there are many other possibilities. The idea of departure of the "magic_quotes_gpc" therefore was to protect that. Except that it raises two concerns: premirement, magic_quotes_gpc simply make a beast an addslashes () on all data, which is far from being enough to protect SQL injections. And secondly, magic_quotes_gpc is beast and nasty: it makes a addslashes () on all data entering, so it is rare that they are solely bac pol generate SQL queries. In the end, to really protect a SQL injection is therefore obligs bac pol is to make a "stripslashes" (for rcuprer the original variable) followed by a mysql_real_escape_string (which is the only function chappant properly give to MySQL). Galre not? Not to mention that if you want to use your variable to something other than a SQL query, it will also go without stripslashes Voil ... why it is deleted PHP 6: the developers believe they protected using the "false security" when he is not. No one fills
No comments:
Post a Comment