Go Back   vb.org Archive > Community Central > Community Lounge
Reload this Page security seems not a main priority in vb hacks
FAQ Members List Calendar Search Today's Posts Mark Forums Read
  #61  
Old 01-01-2005, 03:03 AM
Brad Brad is offline
 
Join Date: Nov 2001
Posts: 4,765
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
3.2.0?
Reply With Quote
  #62  
Old 03-24-2005, 11:29 PM
cinq's Avatar
cinq cinq is offline
 
Join Date: Oct 2002
Posts: 1,398
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Revan
You sayin that by using the htmlspecialchars_uni(trim()) there's no need for addslashes()?
This never got answered.
Anyone ?
Reply With Quote
  #63  
Old 03-24-2005, 11:59 PM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Really you should use mysql_escape_string when cleansing input for the database That's PHPs native function. I can't understand why everyone is using addslashes still (myself included )
Reply With Quote
  #64  
Old 03-25-2005, 12:39 AM
Revan's Avatar
Revan Revan is offline
 
Join Date: Jan 2004
Location: Norway
Posts: 1,671
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
What about mysql_real_escape_string()?
Reply With Quote
  #65  
Old 03-25-2005, 12:43 AM
cinq's Avatar
cinq cinq is offline
 
Join Date: Oct 2002
Posts: 1,398
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
So basically as long as you are using something as input into an SQL query, it would be good to use mysql_real_escape_string() first, regardless of whether it is a Insert, Select or whatever kind of query ?
Reply With Quote
  #66  
Old 03-25-2005, 10:07 AM
Revan's Avatar
Revan Revan is offline
 
Join Date: Jan 2004
Location: Norway
Posts: 1,671
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
This is what PHP Devs have to say:

Quote:
Originally Posted by PHP Manual
This function will escape special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.

mysql_real_escape_string() calls MySQL's library function mysql_escape_string, which prepends backslashes to the following characters: NULL, \x00, \n, \r, \, ', " and \x1a.


This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Reply With Quote
  #67  
Old 03-25-2005, 10:21 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by Dean C
Really you should use mysql_escape_string when cleansing input for the database That's PHPs native function. I can't understand why everyone is using addslashes still (myself included )
You are saying Addslashes is not a native PHP function?

AFAIK they are both native and almost identical (not mysql_real.. because that one also uses the database connection to take the character set used in account).

mysql_(real_)escape_string can be used since PHP 4.0.3, where addslashes was already available since PHP 3.
Reply With Quote
  #68  
Old 03-25-2005, 10:39 AM
Revan's Avatar
Revan Revan is offline
 
Join Date: Jan 2004
Location: Norway
Posts: 1,671
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
I want to know whether I should use mysql_real or keep using addslashes. Someone give me a definite "this or that" answer, or else someone will be in much pain
Reply With Quote
  #69  
Old 03-25-2005, 11:33 AM
Dean C's Avatar
Dean C Dean C is offline
 
Join Date: Jan 2002
Location: England
Posts: 9,071
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Sorry I was tired last night when I made that post. I meant mysql_real_escape_string, and that addslashes won't properly escape everything pasted to an SQL query like mysql_real_escape_string will
Reply With Quote
  #70  
Old 03-25-2005, 04:03 PM
Adrian Schneider's Avatar
Adrian Schneider Adrian Schneider is offline
 
Join Date: Jul 2004
Posts: 2,528
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Could someone write a tutorial on how to avoid such problems, maybe all the developers will follow it, I could sure use one.
Reply With Quote
Reply
Page 7 of 8 « First 56 7 8

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 07:10 AM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04398 seconds
  • Memory Usage 2,249KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (3)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete