vb.org Archive
Page 7 of 8 « First 56 7 8
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Community Lounge (https://vborg.vbsupport.ru/forumdisplay.php?f=13)
-   -   security seems not a main priority in vb hacks (https://vborg.vbsupport.ru/showthread.php?t=73307)

Brad 01-01-2005 03:03 AM
3.2.0? ;)

cinq 03-24-2005 11:29 PM
Quote:
Originally Posted by Revan
You sayin that by using the htmlspecialchars_uni(trim()) there's no need for addslashes()?
This never got answered.
Anyone ?

Dean C 03-24-2005 11:59 PM
Really you should use mysql_escape_string when cleansing input for the database :) That's PHPs native function. I can't understand why everyone is using addslashes still (myself included ;))

Revan 03-25-2005 12:39 AM
What about mysql_real_escape_string()? ;)

cinq 03-25-2005 12:43 AM
So basically as long as you are using something as input into an SQL query, it would be good to use mysql_real_escape_string() first, regardless of whether it is a Insert, Select or whatever kind of query ?

Revan 03-25-2005 10:07 AM
This is what PHP Devs have to say:

Quote:
Originally Posted by PHP Manual
This function will escape special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

mysql_real_escape_string() calls MySQL's library function mysql_escape_string, which prepends backslashes to the following characters: NULL, \x00, \n, \r, \, ', " and \x1a.


This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

Marco van Herwaarden 03-25-2005 10:21 AM
Quote:
Originally Posted by Dean C
Really you should use mysql_escape_string when cleansing input for the database :) That's PHPs native function. I can't understand why everyone is using addslashes still (myself included ;))
You are saying Addslashes is not a native PHP function?

AFAIK they are both native and almost identical (not mysql_real.. because that one also uses the database connection to take the character set used in account).

mysql_(real_)escape_string can be used since PHP 4.0.3, where addslashes was already available since PHP 3.

Revan 03-25-2005 10:39 AM
I want to know whether I should use mysql_real or keep using addslashes. Someone give me a definite "this or that" answer, or else someone will be in much pain ;)

Dean C 03-25-2005 11:33 AM
Sorry I was tired last night when I made that post. I meant mysql_real_escape_string, and that addslashes won't properly escape everything pasted to an SQL query like mysql_real_escape_string will :)

Adrian Schneider 03-25-2005 04:03 PM
Could someone write a tutorial on how to avoid such problems, maybe all the developers will follow it, I could sure use one.


All times are GMT. The time now is 10:24 AM.
Page 7 of 8 « First 56 7 8
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01051 seconds
  • Memory Usage 1,734KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (3)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete