I am currently testing and planning to launch a community website . Its completely made from php and a few javascripts here and there with MySQL db. i am planning to let members edit their profile as they wish and also plan to let them use ' myspace stuff ' thats everywhere these days . ... you know , the glitter and cursor animations ,background and stuff.. . Well i wanna know something while i do this .. I recently heard about MySQL injections that can be possible by submitting scripts through profile fields . Is this true? how can i prevent such a thing ? Does it mean disallowing tags such as <script></script>(i don't want to do it though) ? Please shed some light on this . If i was not clear , please let me know through your replies. Thank you J.
Well to avoid the SQL injections you would use mysql_escape_string assuming you have that or addslashes. Now as for tags themselves they're not dangerous to your database itself but are dangerous to other users. If you enable javascript I could steal cookies and things like that very easily for example.
There is a difference between mysql injections and XSS ( cross site scripting ), you're thinking of XSS ( <script> ). mysql_real_escape_string is better to use ( to protect from injections ), as it takes the database resource as a parameter and escapes the characters according to your current charset. If you don't want to stop people being able to post js into thier profile ( I can't imagine why ) then you will leave yourself wide open to XSS attacks ( depending on the code uploaded ).
Thank you for letting me know that . Please let me know if there is any alternate i could provide members ? does myspace allow <script> tag ?
no myspace doesn't, they probably use a regular expression to remove all <script> tags, and all on* events (onmouseover, onclick, ...)
every single bit of user input $_POST $_GET $_SESSION $_SERVER, should (almost without exception) be run through either htmlentites or mysql_real_escape_string
Thanks guys .. One more thing.. Does mysql_real_escape_string act the same way when it replaces $_POST $_GET $_SESSION and $_SERVER or does it have a different syntax ? (thinking of running a simple search and replace tool if it has the same syntax )
i am not sure what you mean "replaces" $var = $_POST[$var]; $sql="delete from foo where var='$var'' will do what you expect it to.
mysql_real_escape_string only expects a variable to be entered, nothing more. It has no idea what variable you enter, and it doesn't need to know. The only thing it will do is replace certain characters, who may mess up your query, by backslashing them. check the php manual for more information about mysql_real_escape_string: http://www.php.net/mysql_real_escape_string