filter metacharacters

slimjim

What is the best way to filter metacharacters in querys and inserts.

Trying to figure out how to prevent Cross Site Scripting

NogDog

Many of the DB interfaces in PHP have an escape_string function, such as [man]mysql_real_escape_string/man or [man]pg_escape_string/man.

slimjim

Help me understand please.

If no insert is to be done , then I would not have to use mysql_real_escape_string() correct ?

If I were to do a insert, then it would be best to use mysql_real_escape_string()

Such as :
$username= mysql_real_escape_string(trim($_POST['username']));

Now for no user input on a form lets say, this just wouldnt be used correct ?

Need some form of user input correct ?

I mean we wouldnt use that on something like this correct :

$result2 = mysql_query("SELECT * FROM members WHERE statis='1'");
$inactt = mysql_num_rows($result2);

But we would use it on anything that from a form of post that would get inserted into db correct....

slimjim

Just trying to find out best way to stop injection attacks

NogDog

Basically, you want to filter any value that will be used in any type of query, if that value comes from any source you cannot be 100% sure is safe. (If you're truly paranoid, that means every source. 😉 ) If using MySQL, see the "Best Practice" example on the mysql_real_escape_string page for handling form inputs in queries.

slimjim

inputs from forms I figured out i think, but what about urls like:

http://www.somesite.com?user=1

Couldnt someone add more to that url, like a select statment or something to get server info or user info..

Sence I would use user=1 to do a query, how can I protect that from an injection, cause I didnt not find anything on those pages that deal with that.

Piranha

Look at this thread to get a few answers.

NogDog

You can use mysql_real_escape_string() with $GET variables for values from the URL query string just as you would for $POST or $_GET variables from a form input.

slimjim

Could I add this to a connection script whish would be on any page that connects to database :
$uid = mysql_escape_string($uid);

Weedpacket

You certainly can. Whether there is any point in doing so depends entirely on whether $uid exists to begin with and what it is used for. Assuming that you meant to write mysql_real_escape_string(), and that $uid is going to be used in a MySQL query.