[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Is this PHP code secure from CSS ?



You migh also want to check out: http://libox.net/sanitize.php
People already written functions that you should use

Hope that helps,
Meder

> Le ven 26/09/2003 Ю 17:21, kha a Иcrit :
>> $login = mysql_escape_string($post-login);
>> $password = mysql_escape_string($post-password);
>> $lines = performQuery("select id from users where name='$login' and
>> pass='$password'");
>> Do i need only the mysql_escape_string function to prevent sql
>> injections in
>> the form or i should perform other checks ?
>
> You should perform any test you can perform. mysql_escape_string can
> happen to be buggy one day, who knows. Another cool function you can use
> for input validation is PHP safe mode magic_quotes_* settings.
>
> Anyway, if you decide both login and password should contains only
> alphanumeric characters, you should enforce $login and $password against
> a [a-zA-Z0-9] based expression before constructing your SQL query.
>
>> NB : passwords are not yet encrypted in the database.
>
> :/
>
> NB : what you want to avoid here is not CSS (one usually says XSS), but
>      SQL injection.
>
> --
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>
>