RE: [PHP] basic user/input form questions... more validation!

Thu, 22 Sep 2005 15:43:41 -0700 

bruce <mailto:[EMAIL PROTECTED]>
    on Thursday, September 22, 2005 3:33 PM said:

> further investigation seems to imply that 'strings' that are to be
> inserted into the mysql db should be 'backslashed' for the chars >
> \x00, \n, \r, \,'," and \x1a.

That's what escaping is.

> the mysql_real_escape_string function
> requires a db connection and the app might not have opened up a
> connection to the db at this point in the code.. (or i could rewrite
> the code!!)

Unless you have warnings print to the screen you should be fine. Or you
could just suppress the errors on that one function.

>  numeric data:
>   -doesn't need quoting, but it shouldn't hurt to quote anyway..
>    (quote all numeric values inserted in the db...)
>     -but wouldn't this require the app to detect numeric vals in
>      the db, and to convert the 'type'!!)

No. Why would it? If you quote everything then there's no need to check
for type.

>     -how does this affect date/float vars...

I'm not sure. Check the MySQL manual on column types.

> extracting data from the db:
> 
>  numeric data
>   -get the data/val from the db
>    -check the type/convert the db to int/float/date/etc...

No type conversion is necessary. PHP is a loose typed language.

>  string data
>   -get the vals from the db,
>    -strip any slashes that were added to the data/vars
>    -process/use accordingly...

As I said in my previous email, stripping of slashes is not necessary.
The reason data is escaped before it's put into the database is so that
you don't confuse the engine.

$string_data = "Hello I'm a string.";

$sql = "INSERT INTO table (thestring)
        VALUES ('$string_data')";

That would be the same as:

INSERT INTO table (thestring) VALUES 'Hello I'm a string'

The engine is going to choke on the apostrophe in I'm. With escaping it
would be ... VALUES 'Hello I\'m a string'.

When you retrieve that data you'll get exactly "Hello I'm a string."
There will be no backslash.

It also prevents SQL injection attacks.

> have i left anything out..??

I don't know.


hth,
Chris.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to