PHP
  Home arrow PHP arrow Page 3 - PHP Security Mistakes
Dev Shed Forums 
Administration  
AJAX  
Apache  
BrainDump  
DHTML  
Flash  
Java  
JavaScript  
Multimedia  
MySQL  
Oracle  
Perl  
PHP  
Practices  
Python  
Reviews  
Security  
Style-Sheets  
Web Services  
XML  
Zend  
Zope  
Forums Sitemap 
IBM® developerWorks 
Sun Developer Network 
Dedicated Servers 
E-Commerce Hosting 
Linux Web Hosting 
Managed Hosting 
Small Business Hosting 
Actuate Whitepapers 
Moblin 
VPS Hosting 
Weekly Newsletter

 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
PHP

PHP Security Mistakes
By: Dave Clark
  • Search For More Articles!
  • Disclaimer
  • Author Terms
    		•
    Rating: 4 stars4 stars4 stars4 stars4 stars / 287
    2004-06-09

    Table of Contents:
  • PHP Security Mistakes
  • Tips 2, 3
  • Tip 4
  • Tips 5, 6
    		•

    Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
    		 
     
    ADVERTISEMENT

    Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

    PHP Security Mistakes - Tip 4
    (Page 3 of 4 )

    4. Never run unescaped queries

    PHP has a feature, enabled by default, that automatically escapes (adds a backslash in front of) certain characters that come in from a GET, POST, or COOKIE. The single quote (') is one example of a character that is escaped automatically. This is done so that if you include input variables in your SQL queries, it will not treat single quotes as part of the query. Say your user entered $name from a form and you performed this query:

    UPDATE users SET Name='$name' WHERE ID=1;

    Normally, if they had entered $name with single quotes in them, they would be escaped, so MySQL would see this:

    UPDATE users SET Name='Joe\'s' WHERE ID=1

    so that the single quote entered into "Joe's" would not interfere with the query syntax.

    In some situations, you may use stripslashes() on an input variable. If you put the variable into a query, make sure to use addslashes() or mysql_escape_string() to escape the single quotes before your run the query. Imagine if an unslashed query went in, and a malicious user had entered part of a query as their name!

    UPDATE users SET Name='Joe',Admin='1' WHERE ID=1

    On the input form, the user would have entered:

    Joe',Admin='1

    As their name, and since the single quotes were not escaped, he or she would be able to actually end the name definition, place in a comma, and set another variable called Admin!

    The final query with input in blue would look like this:

    UPDATE users SET Name='Joe',Admin='1' WHERE ID=1

    In some configurations, magic_quotes_gpc (the feature that automatically adds slashes to all input) is actually set to OFF. You can use the function get_magic_quotes_gpc() to see if it's on or not (it returns true or false). If it returns false, simply use addslashes() to add slashes to all of the input (it is easiest if you use $_POST, $_GET, and $_COOKIE or $HTTP_POST_VARS, $HTTP_GET_VARS, and $HTTP_COOKIE_VARS, instead of globals because you could step through those arrays using a foreach() loop and add slashes to each one).

    Next: Tips 5, 6 >>
     

    More PHP Articles
    More By Dave Clark


       · Great article PHP security is getting bigger every day I've personally been using...
     
    >>> Post your comment now!

       

    PHP ARTICLES

    - Handling Attachments in MIME Email with PHP
    - Completing the Project Management Application
    - Sending MIME Email with PHP
    - Handling Files for a Project Management Appl...
    - Viewing and Editing Tasks for a Project Mana...
    - More on Private Methods with PHP 5 Member Vi...
    - Adding Tasks to a Project Management Applica...
    - Utilizing Private Methods with PHP 5 and Mem...
    - Making Changes in a Project Management Appli...
    - Defining Public and Protected Methods with M...
    - HTML for a Project Management Application
    - Using Subclasses and Accessors with Member V...
    - Implementing Internet Protocols with PHP
    - Project Management: The Application
    - Working with Private Properties to Protect P...
    Find More PHP Articles



    © 2003-2008 by Developer Shed. All rights reserved. DS Cluster 5 hosted by Hostway