Steve Posted March 14, 2011 Share Posted March 14, 2011 Hi Larry/everyone, I came across this article: "Can You Hack Your Own Website?..." http://net.tutsplus.com/tutorials/tools-and-tips/can-you-hack-your-own-site-a-look-at-some-essential-security-considerations/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nettuts+%28Nettuts%2B%29&utm_content=Google+Feedfetcher To sanitize inputs, the author used not only "mysql_real_escape_string" but also the function "addcslashes". Specifically, the line of code (that would be added to the "escapedata()" function on page 56) is: $string_b = addcslashes($string_i, "\x00\n\r\'\x1a\x3c\x3e\x25"); I was wondering your thoughts on this extra line of code; if it's necessary or not? Thanks! 1 Link to comment Share on other sites More sharing options...
Larry Posted March 14, 2011 Share Posted March 14, 2011 Hello Steve, Thanks for your question. I looked at the article and I'll admit that there are a few points made in the article that I disagree with (e.g., the argument to use mysql_pconnect() or the failure to confirm that variables are set before referencing them). I also don't think the author convinced me of the merits of addcslashes() over mysql_real_escape_string(). The argument for mysql_real_escape_string() is twofold: first, it puts more functionality into the database, which is generally advised. Second, it performs the escaping in a way that's particular to the character set used by the database, so it's more particular and less generic than addcslashes(). Also, to be clear, the author isn't using addcslashes() AND mysql_real_escape_string() but rather addcslashes() INSTEAD OF mysql_real_escape_string(). To be clear, it's really a minor distinction between the two, but I prefer mysql_real_escape_string(). Link to comment Share on other sites More sharing options...
Steve Posted March 14, 2011 Author Share Posted March 14, 2011 Thanks!! I read it as the author was using *both* methods; thanks for clarifying. I did notice the mysql_pconnect, but wasn't going to question it (so, thanks for bringing that up, too). Appreciated, as always!! Steve Hello Steve, Thanks for your question. I looked at the article and I'll admit that there are a few points made in the article that I disagree with (e.g., the argument to use mysql_pconnect() or the failure to confirm that variables are set before referencing them). I also don't think the author convinced me of the merits of addcslashes() over mysql_real_escape_string(). The argument for mysql_real_escape_string() is twofold: first, it puts more functionality into the database, which is generally advised. Second, it performs the escaping in a way that's particular to the character set used by the database, so it's more particular and less generic than addcslashes(). Also, to be clear, the author isn't using addcslashes() AND mysql_real_escape_string() but rather addcslashes() INSTEAD OF mysql_real_escape_string(). To be clear, it's really a minor distinction between the two, but I prefer mysql_real_escape_string(). 1 Link to comment Share on other sites More sharing options...
Recommended Posts