Mordent
Mar 16 2008, 02:12 PM
I'm curious as to the best methods of letting users submit data to a MySQL database, displaying that data, and removing any unwanted tags etc. from it. Currently, there's a handful of PHP functions that I know of to help with this: - mysql_real_escape_string() - perhaps the best known and most commonly used function, it should be used in pretty much any MySQL query. It escapes characters that have SQL significance.
QUOTE(php.net) ...which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a
I like to think I made a pretty good attempt at finding out what \x00 and \x1a are, but I can't find anywhere that will simply tell me. I'd assume that one of them is a hyphen (-), as that has special significance in SQL? - strip_tags() - removes all HTML tags (including malformed ones) except those given in the second argument.
- nl2br() - converts all newlines (i.e. "\n") to "<br />"
- htmlspecialchars() - converts characters that have HTML significance (i.e. ", ', &, <, >) in to ones which will simply display instead of having any HTML meaning.
- htmlentities() - any idea what the difference between this and htmlspecialchars() is?
QUOTE(php.net) This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.
Anyone care to comment on how that would handle a string differently from htmlspecialchars()? - addslashes() - adds "\" before quotes (both ' and "), other backslashes and NUL. According to php.net the function should be used when <i>entering</i> data into a database, although if magic_quotes_gpc is on (which, I believe, is the case both by default and on AstaHost's servers) then it is entirely unnecessary, as apparently:
QUOTE(php.net) The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The function get_magic_quotes_gpc() may come in handy for checking this.
- stripslashes() - effectively reverses (?) addslashes().
So, given the function arsenal above, what can we get out of it? Clearly we could apply a lot of overkill to some strings, which would be unnecessary, but what's the minimum that needs to be done to make user-inputted data secure and still output what you want? Let's say we have a textarea which the user can input whatever they like in to, and in all cases the data will be stored in a MySQL database and can be displayed exactly as typed (mainly because that's the bit I'm working on  ). Take this forum, as an example. I can quite happily type things such as "<b>foobar</b>" and they display exactly as entered. The quotation marks are left in, the bold tags are displayed, but not carried out. All formatting such as using bold text is done on the user's side with BB Code, which uses square brackets. For now, however, I want to leave this additional formatting alone, and just show precisely what's typed in. So, back to the textarea idea, let's say we have a form as below: CODE <fieldset>
<legend>Update Text</legend>
<form action="update_text.php" method="post">
<textarea cols="100" rows="10" name="text"></textarea><br />
<input type="submit" name="update" value="Update" />
</form>
</fieldset> So whatever the user types in is sent (via POST) to the script update_text.php. In that file we want to store it in a MySQL database. Given that we have a method of identifying the user by an ID (via sessions, most likely), and that the required file connects to the database. CODE ...
// process input
$text = $_POST['text'];
// access database
require('includes/db.php');
mysql_query('UPDATE members SET text = "' . mysql_real_escape_string($text) . '" WHERE id = "' . mysql_real_escape_string($id) . '"') or die(mysql_error());
... So, correct me if I'm wrong, but that would store the text so it can be recovered as entered? Newlines ("\n") would be put in, naturally, and any relevant characters would be escaped so that they're stored in MySQL correctly, and the possibility of SQL injection here would be low, right? The data would now be stored, theoretically exactly as inputted. If we want to get that data back out, so that it's shown by default in the form we could do so as shown below: CODE ...
// access database
require('includes/db.php');
$getMember = mysql_query('SELECT text FROM members WHERE id = "' . mysql_real_escape_string($id) . '"') or die(mysql_error());
if (mysql_num_rows($getMember) == 1)
{
// member found
$row = mysql_fetch_array($getMember);
$currentText = htmlspecialchars($row['text']);
}
... ...and then echo $currentText between the textarea tags in the form? htmlspecialchars() would need to be used, I believe, to stop people from closing the textarea early themselves and going on to do anything else they want. I'm pretty sure no other functions in the list above need to be used, but I'd like to confirm that. Then, when displaying the text (i.e. not in the textarea), I assume something like this could be used: CODE ...
// access database
require('includes/db.php');
$getMember = mysql_query('SELECT text FROM members WHERE id = "' . mysql_real_escape_string($id) . '"') or die(mysql_error());
if (mysql_num_rows($getMember) == 1)
{
// member found
$row = mysql_fetch_array($getMember);
$text = nl2br(htmlspecialchars($row['text']));
}
... ...which is identical to the previous method except for the use of nl2br() as well. Note that it's used after htmlspecialchars(), as otherwise the "<br />" tags would else be converted to "<br />" afterwards. Would any other functions need to be used, or would that simply do the job to a high enough level of security and still give the desired result? Thanks in advance for any feedback or comments, Mordent
Comment/Reply (w/o sign-up)
Jared
Apr 19 2008, 07:52 AM
I'm afraid I can't give you a very clear answer, but htmlspecialchars () would effectively remove anything that could be maliciously (bad choice of word) interpreted in HTML.. So as far as security goes, you're fine. Now we just have to worry about formatting. Essentially, the <pre> tag would make text appear exactly as shown, so we just have to think about what the <pre> tag really does. So it turns out the <pre> tag simply treats newlines and spaces as they are entered. So we just have to format those. nl2br () would take care of the newlines, but the spaces are still unaccounted for. But this may be a simple matter... we wouldn't be able to use a regular expression to replace multiple spaces with if there were tags in the midst--[i]since <a href=""> is the same as <a href=""> and not <a href="">--HOWEVER there are no tags here! Text is being displayed exactly as it is. So we have a regular expression: (\s{2,}) Also... I just remembered... we have to watch out for tabs, too. Tabs (unfortunately) cannot be forced to print as a space can with , but you can use to make it slightly more html-friendly. So my final answer would be: CODE <?php
$text = 'your mysql variable';
$text = htmlspecialchars ($text);
$text = preg_replace_callback ('/(\x20{2,})/', create_function ('$matches', '$list = false; for ($i = 0; $i < strlen ($matches[1]); $i++) $list .= \' \'; return $lsit;'), $text);
$text = preg_replace_callback ('/(\x09{2,})/', create_function ('$matches', '$list = false; for ($i = 0; $i < strlen ($matches[1]); $i++) $list .= \' \'; return $list;'), $text);
$text = nl2br ($text);
echo $text;
?> That would work. My create_function is slightly sloppy, so you might want to fix that up if you can find a better way haha.. P.S. The only way you could "make tabs format" is if you decided to replace each tab with, say, 5 spaces. It's not the same idea as the tab (since a tab has variable space) but it's close. That would be this: CODE $text = preg_replace_callback ('/(\x09{2,})/', create_function ('$matches', '$list = false; for ($i = 0; $i < 5 * strlen ($matches[1]); $i++) $list .= \' \'; return $list;'), $text); Hope this helps!!! - Jared
Comment/Reply (w/o sign-up)
Similar Topics
Keywords : letting, users, add, mysql, data, php
- Reading Xml Data
Within PHP (2)
Mysql Question(inserting Number From A Textfield)
(3) Hey! I am trying to do a "Admin give EXP script". But I can't make it work. The value is not
updating, but the update query is correct.( I think:P) I think the fault is here: CODE
$expcomp=$givexpp += $givexp; The $givexp is the variable for the amount of Xp the admin wants
to give. the $givexpp is the variable for the user info (in this case, the experince he already
have). The datatype for the XP in the database is INT. So I have no idea if it can take data from a
normal textfield. If you need to see all the code, here you go: CODE session_start();....
Making Something In Mysql Happen Only Once
(10) Hey! I know I am asking alot. But much is happening theese days. Sorry if I disturb with my
questions. The thing I am trying to do is: Ex. If the user becomes level 2, he should get 5 skill
points. I can't do this: CODE if($userlevel=5){ mysql_query("UPDATE user SET skillpoints
=$points+5");} because then it would update everytime the code was loaded. I hope you understand
what I am trying to do. If not, tell me /smile.gif" style="vertical-align:middle" emoid=":)"
border="0" alt="smile.gif" /> and i'll try to explain better. Thanks //Feelay....
Making A Link = Mysql_query
(8) Hey! I will try to make this as clear as possible. how can I make the following. I have a list,
of all members on my site. If I press on a members name(link), I will come to his profile. To come
to his profile, I need to get out some vaule from the database, but to get out some value from the
database, I must tell the code, how it should know who the user is (hard to understand?). To do
that, I must add a mysql_query in the code ( I think), like "SELECT user FROM dbname WHERE
user=link".. This is just how I think it works. I know it is kinda wrong.. but I don't k....
Warning: Mysql_result(): Supplied Argument Is Not A Valid Mysql Result Resource In ...
This Is for My attack Script. (4) Hey. I am making a "Version 2.0" For my attack script, but I can't make it work. This is the
error I am gettin: Warning: mysql_result(): supplied argument is not a valid MySQL result resource
in And here is the code: CODE $dbQueryHealth = mysql_query("SELECT temphealth FROM
characters WHERE user =". $_POST .""); $currentHealth = mysql_result($dbQueryHealth, 0);
$dbQueryExp = mysql_query("SELECT exp FROM characters WHERE user = ".$_POST ."");
$currentExp = mysql_result($dbQueryExp, 0); I have checked the PHP Manual,....
Warning: Mysql_num_rows()
What is the error :S (1) Hey! I've made a register script.. Some time ago it worked. And I ain't sure if I changed
something since then.. The error I am getting is this: Warning: mysql_num_rows(): supplied argument
is not a valid MySQL result resource in /home/feelay/public_html/regcheck.php on line 31 Here is
the code on theese lines: CODE $sqlCheckForDuplicate = "SELECT username FROM user WHERE username
= '". $username ."'"; if( mysql_num_rows( mysql_query(
$sqlCheckForDuplicate ) ) == 0 ) { $sqlRegUser = "INSERT INTO ....
Getting Certain Parts Of A Record
The character data (17) Ok I need help on this puzzling problem. At first I thought that this person stored the dates in the
MySQL database like this: August 27, 2007 That kinda freaked me out a little, because string dates
are hard to manipulate. Then I found out that he stored both th string data and numerical date,
which I found a little bit odd, but it was like this: 2007-08-27 I need to build a PHP program to
manipulate the data, but I need to access the year, month and day respectively by themselves. I
think that isolating the first 4 characters for the year, last 2 characters for da....
Anyone Know Of A Really Good Mysql Class?
Looking for something easy but full featured. (4) Generally speaking, when I write a script, it either utilizes the MySQL class of the parent system
(like Mambo or Joomla) or I use basic functions and snippets to perform the database queries I need.
I really like the Joomla database class as it allows you to simply pass a regular query string to
it and the data is returned without the need for extra work! The Invision Power Board (IPB)
database class which is what is used for this forum is kind of a pain to use since it wants the
query string in a non-MySQL standard format. Nonetheless, it does work and I could use i....
Extracting Mysql Maths Using Php
(2) Right, this is a really simple thing and it has me completely stumped. I'm working on this mini
maths function and for some reason i cannot seem to do some simple math process using mysql. This is
the code: (php btw), now assume that $date is actually a defined mysql date variable already
successfully extracted. $sql = mysql_query("SELECT TO_DAYS('CURDATE()') -
TO_DAYS('$date')"); while ($row = mysql_fetch_array($sql)){ $diff = $row ; } Can
anyone spot what im doing wrong becuase im just thrown by it.....
Too Many Connections?
mysql_connect() (4) I uploaded my PHP game yesterday, and most of my friends tried it out. After a while, I tried to
play as well but it said that mysql_connect() had too many connections already. Can anyone tell me
how to increase the amount of connections or maybe the total amount of connections allowed?....
Php/mysql And Manual Page Caching?
(4) I am hopefully about to attempt this on the news page of my new site. Every bit counts as far as
I'm concerned and not having "news" portion of my news page re-php and re-mysql everything where
there is no chance seems like a waste. I'm looking for good articles, information or tips on
the process (if I fail to find any good information as I'm looking through now). The way I see
it right now, I have most of my page split up in header, content (some static html in here before
dynamic contend and then a little more static html to close it off) and then a foo....
Sql Injection Prevention (passing Numerical Data Across Pages).
PHP/mySQL (9) Even if your building something as simple as a basic news page for your website, if your passing
along url variable strings like (mysite/index.php?page=1), you may be vulnerable to SQL injection
attacks. For cases like these (passing numerical data in url strings), I have a handy dandy little
function to thwart these attempts silly: CODE // For checking if value is a number, if not
return 1. function isNum($val) { if (!is_numeric($val)) { $val = 1; } return ($val); } I
have this function, within my functions.php file, which I use as an include in files w....
Php Mysql Errors
Fetching arrays (2) I am deciding to make a Multiplayer Online RPG type game. I will be building it off of PHP and MySQL
to ensure makimum compatibility with Astahost's services (and it makes it easier /wink.gif"
style="vertical-align:middle" emoid=";)" border="0" alt="wink.gif" />). I have a database setup with
1 table to hold user data and I have the login system setup properly as well as the registration
form (obviously). All games of course have something similar to gold, units and points. Because
this is a turn-based game, I have turns. Now for the problem: I am trying to echo ....
Retrieving Data And Displaying In Boxes
How do I make a grid of boxes? (6) I have successfully setup a MySQL Database with a few tables in it to store user input! /smile.gif"
style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" /> /biggrin.gif"
style="vertical-align:middle" emoid=":D" border="0" alt="biggrin.gif" /> Woohoo! Now the problem is
displaying the data. I want 4 boxes echoing across with 3 rows down so that makes 12 boxes (12 of
the most recent records). I have no clue how to do this because I cannot use the W3Schools example
of echoing into a table. Here is the code I used but it echoes the same information across th....
Proper Way To Grab User Data?
(1) I'm working on a script where there is a custom user profile and I was wondering if there was a
more efficient way to grab data stored in a database than this method: CODE $sql = "SELECT *
FROM users WHERE `access_name` = \"" .$active_user. "\""; $row =
mysql_fetch_array(mysql_query($sql)); //Link the two tables together; grab the most common thing
that is the *SAME* $user_id = $row ; $sql2 = "SELECT * FROM content WHERE `cid` = \"" .$user_id.
"\""; $row2 = mysql_fetch_array(mysql_query($sql2)); Then on the pages, I just do a where ever
something is supp....
How To Show Serial Nums In PHP Table For Contents Of MySQL DB
Serial Numbering for output contents of mysql in php table (4) Hello there, I'm looking for some education. How would you show the serial numbering for
outputted contents of mysql database. I used a table created in PHP to output content (i.e. an
alumni database) and I created a column for S/N, so that at a glance anyone can tell how many
members have registered. Thanks house. Neyoo....
PHP & MySQL: Displaying Content From A Given ID
(6) Okay so I got this sample link (not working): http://www.acosta.com/joo.asp?id=654 Now suppose
I have a PHP file that would use MySql in order to get all values in the row where id 654 is found.
Here's a sample DB: Table: demnyc ______________________________________ | id |
Name | Age | Email | *----------------------------------------------------* | 1
| Albert | 17 | no email |
*----------------------------------------------------* | 2 | YaPow | 888 |
no email | |__________....
Re-order MySQL Table
(11) Hello you all, I've got a question /smile.gif" style="vertical-align:middle" emoid=":)"
border="0" alt="smile.gif" /> Let's say I have a database width the table "news". It contains
about 10 items which is ordered by the field "id". Now from my admin page i do this: CODE
mysql_query("DELETE FROM news WHERE id=4"); ?> And a few days later i do: CODE
mysql_query("DELETE FROM news WHERE id=7"); ?> Now there are two gaps in the table => 1, 2, 3,
5, 6, 8, 9, 10 (no 4 and 7). It want to reallocate the whole table to fill the gaps like this => 1,
2,....
Send XML Data To PHP Page
(0) Hi, i'm trying to send my xml file "xmlDoc" to a php page so I can save it. Does anyone have the
code for this?....
Need MySQL Alternative To The Syntax "or die()"
(9) Hello again /smile.gif" style="vertical-align:middle" emoid=":)" border="0" alt="smile.gif" />
I'm facing a problem with PHP and MySQL... I want, when a MySQL error occurs, to let the script
continue. Here's the script: CODE $query = "SELECT * FROM menus ORDER BY id ASC";
$menus_result = mysql_query($query) or die("Error!"); while( $menu=mysql_fetch_array($menus_result)
) { echo $menu ." "; } Now if the table "menus" doesn't exist, this would echo "Error!"
where it's placed and terminate the whole script. But I want it to echo "Error!" and....
Data Passing - Re An Assignment For School - Please Help :)
(8) I'm working on a small assignment due tomorrow and am having some trouble. I have a functioning
form that you input the data on one php page, and then it does a little math and displays the result
on a new page. The assignment is to make this work on ONE page, and to add some error handling.
I'm having trouble with the basics of passing the data that has been input on the form, back to
itself. I am stuck with a few questions but I'll start with one. I have the data passing back
to itself so that when I start the error checking, the fields won't have ....
Need An Alternative To $http_post_data For PHP4
(5) Hi, my client's host site currently hosts just 4.0. I tried using the
file_get_contents("php://input") and $HTTML_post_data php file to save the XML file from Flash but
when loaded, it returns nothing. I need hlep....
Storing Data Into Xml With A Php Form
Need Help! (2) Hi, I just learned how to read an xml file with PHP. The problem now is that I don't know how to
write onto it. I would like to read my news content and be able to add more to it when another story
comes up but I don't know how to write into the xml via PHP. All I know how to do is to edit the
XML file itself manually. Can anyone help me?....
Need Help With Php/mysql And Web Servers Such As Asta's.
(4) Within my site I have built my own basic forum using PHP/Mysql, I always test locally now both using
EasyPHP and WAMP5 which both give me no problems what so ever. But when I tryed to run the exact
same code on Asta's hosting services (and possible another I used to use) when creating a new
thread or adding a reply to an existing one it *sometimes* adds an additional thread/reply as a
Guest (someone not signed in) with an empty message. This would lead me to believe that somehow the
page is being refreshed and the variables sent to the database update php file are ....
Important: Basics Of Using PHP And MySQL
(10) I generally notice confusion with new users to PHP and or MySQL and first of all I believe that
unlike HTML which is automatically associated with a IE browser in a Microsoft system. HTML is
automatically rendered with whatever browser is the default browser, be it Internet Expolrer Firefox
Netscape or any other browser that has been set. PHP is a different matter to view the output of a
PHP file it must be run on a webserver, and if you do not have one set up on your local PC it simply
will not work. (Note serverside langauge requies a server) HTML is client side and ....
How Do You Create A Secure Loging?
with PHP and mySQL (4) I've read a few articles, and looked up the code of certain files and some of them seem to work
differently. I'm trying to create a login script, which would require PHP and mySQL to run,
however, I'm not quite sure how to approach it since I'm only just learning PHP. I'd
like to know, what is the most secure and effective login? I've heard you can add a salt to
encrypted passwords, etc, and well as using sessions (sid). It's just like to know what methods
are best for creating a secure login script. Thank yo ufor readin this. ....
[PHP + MySQL] Encrypting Data
To protect the password of your DB, for example. (13) Hi! This is my 2nd code of PHP + MySQL. This code is VERY simple: it encript the data in the MySQL
DB. Here we go! ------------------------------------------------------------------------ CODE
$password = "abc"; $new_password = md5($password); echo $new_password; ?> The password "abc"
was codfied using md5() This will be: 900150983cd24fb0d6963f7d28e17f72 CODE $normal_pass =
"abc"; $encripted_pass = "900150983cd24fb0d6963f7d28e17f72"; if(md5($normal_pass) ==
$encripted_pass) echo "Login Sucessful!"; else echo "Incorrect password."; ?> This c....
Need Help With A PHP - MySQL Registration Script
Wont INSERT into the database (13) hey well can some one helpme make this code work it won't INSERT INTO THE DATABSE CODE #
register1.php # common include file to MySQL include("DB.PHP"); $Username=$_POST ; $Password=$_POST
; $Name=$_POST ; $Last=$_POST ; $Sex=$_POST ; $Month=$_POST ; $Day=$_POST ; $Year=$_POST ;
$Adresse=$_POST ; $City=$_POST ; $State=$_POST ; $Zipcode=$_POST ; $Country=$_POST ; $Phone=$_POST ;
$Email=$_POST ; $Father_Name=$_POST ; $Mother_Name=$_POST ; $Parent_Phone=$_POST ;
$Parent_Email=$_POST ; $Level=$_POST ; $Academic=$_POST ; $Image_Link=$_POST ; $sql9="INSERT INTO
U....
Php, Sql Lite: Storing Session's Data?
how so store session in SQLITE? (1) normally, in windows, session data is saved in the location as directed by the "session.save_path"
directives. they only show how to store session data in file. is it possible to store it inside the
SQLite? anyone?....
MySQL & PHP coding
(9) So it seems as though the php docs make it very clear that mysql and mysqli functions will all
connect to the database as a latin1 client. Although i have my server set up with utf8 databases,
tables and fields and the default client connection is utf8, php still connects as latin1. My
xhtml forms and pages are all utf-8, so when i post utf8 data and insert it into the database the
connection assumes that incoming data is latin1 and the data that gets placed in the database is
invalid. phpMyAdmin seems to be able to view, add, edit, and retrieve utf8 strings in the d....
Looking for letting, users, add, mysql, data, php
|
See Also,
*SIMILAR VIDEOS*
Searching Video's for letting, users, add, mysql, data, php
|
advertisement
|
|
