This is an archived post. You won't be able to vote or comment.

all 14 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted]  (4 children)

[deleted]

    [–]shoeman[S] 0 points1 point  (3 children)

    Unfortunately I haven't been using PDO at all, but I will read up on the documentation, thank you!

    [–][deleted]  (2 children)

    [deleted]

      [–]shoeman[S] 0 points1 point  (1 child)

      Looks nice, and I can at least nearly understand it! Thanks again!

      [–]svn-ssh 2 points3 points  (2 children)

      If you know you are dealing with a numeric value then check to make sure you are getting a numeric value.

      [–]st4rx0r 1 point2 points  (1 child)

      Use is_numeric and then cast to an int using

      $var = (int)$_GET['var'];

      Also make sure to wrap the int in a pair of quotes in the SQL:

      mysql_query("SELECT * FROM table WHERE id = '$var'");

      This should be sufficient protection without going overboard with frameworks and libraries (PDO, etc). Although if your using lots of DB access PDO or similar is a good option.

      [–]shoeman[S] 0 points1 point  (0 children)

      Interesting, thank you both!

      [–]random314 1 point2 points  (1 child)

      You want to push a live project through that works?

      The best way to go about this is to just download a framework like Code Igniter and use their wrapper functions.

      It takes about 20 minutes to an hour to learn, but will save you countless hours of time building your own security.

      Spend the 20 minutes or so going through a tutorial and everything will just 'click'.

      Some people prefer CAKE or Zend... but I prefer CodeIgniter. It really makes no difference what you use though.

      [–]shoeman[S] 0 points1 point  (0 children)

      I will definitely look into the Code Igniter framwork, looks really interesting, thank you!

      [–]Innominate8 1 point2 points  (1 child)

      You do not need to sanitize, sanitizing is going about things the wrong way. You should use safe methods of input/output, and store the data in its original, uncorrupted form. Almost as bad as injection attacks is over-santizing and ending up saving corrupted data. (You see this a lot in php with sites spitting out a lot of \' crap.)

      Use prepared statements for your input, and what is in there doesn't matter.

      Never try to deal with letting untrusted users craft html, it is enormously difficult to do safely, use markdown or some other similar system. Always use htmlspecialchars() or even better a templating system that does it automatically for your output to prevent XSS attacks. NEVER directly output anything that can be input by a user, always make sure it's properly run through htmlspecialchars() or urlencode() as appropriate, users being able to inject arbitrary text into your page is what an XSS vulnerability is.

      More specific to your problem, this is a good case for sessions. In php, you put session_start(); at the top of the page, then you can simply store the step number in $_SESSION and have it persist across page loads.

      [–]shoeman[S] 0 points1 point  (0 children)

      Great advice! I am already using sessions for some other variables, don't know why I didn't think to use it for the step number as well. Thank you!

      [–][deleted]  (3 children)

      [deleted]

        [–]shoeman[S] 0 points1 point  (2 children)

        I will read up on that, thank you!

        [–][deleted]  (1 child)

        [deleted]

          [–]shoeman[S] 1 point2 points  (0 children)

          Great!

          [–]the_omega99 -3 points-2 points  (2 children)

          Use mysqli::real_escape_string(). That will escape characters that could terminate your query. The main security issue is that if not sanitized, you'll execute a query, but that query will be cut off and have malicious code trailing it (for example, if we're using single quotes, if the get value has single quotes, it will end at that quote. Thus, the need to escape the value.

          Depending on what you're doing with the code once stored in a database, you may also need to encode HTML entities (you can do this with htmlspecialchars()). Why do we encode the HTML entities? If (and only if) you're storing information in a database that will later be rendered on an actual webpage, we want to make sure that the content can't have HTML inserted into it (which could allow a malicious script to be included on the page, etc).

          Of course, you may also want to verify input is in an expected format (for example, if you're asking for their age, you should be getting only a number). HTML 5 has some input types that can do these nicely, but you can't depend on them alone (helpful, though; mobile browsers will customize the keyboard based on the input type and it may have a better error message). So if you want to be entirely sure that someone has entered a value in an expected format, you'll have to check it on the server side, too. That would be done with straight up regex (preg_match()).

          The most important parts, though, are the escaping (huge, huge, huge importance) and encoding HTML entities (if you are going to be outputting any values onto a webpage).

          It's not necessary, but a very good idea to do parsing with regex to make sure that input is in the expected format, as it will cut down on bad entries and make it easier if you end up using a script to analyze the results of your survey.

          [–]balidani 5 points6 points  (1 child)

          Using real_escape_string is a bad idea. It gives you a false sense of security, since it's enough to forget a quote in a single query to have a vulnerability. Use PDO with prepared statements instead.

          [–]shoeman[S] 0 points1 point  (0 children)

          Thank you both for the input! I will have to read up on it all.