13 replies to this topic

[hoku_2000 _99]

I've made a guestbook, right now it works fine, but the downside is that it can easily be hacked. How can I encode the special characters so that it doesnt get hacked?

[gregwarner]

What language and what database are you using for the backend? If it's PHP and MySQL, you can use mysqli_real_escape_string.
Doc: PHP: mysqli::real_escape_string - Manual
Or you could use prepared statements.

[hoku_2000 _99]

Yes, I am using PHP an MySQL. This is my first time using mysqli_real_escape_string, but I found an example.
PHP mysql_real_escape_string() Function Is the proper way to use mysqli_real_escape_string?

[Alexander]

If you are using the very old defunct mysql_* extension set then mysql_real_escape string is required. If you are using the newer mysqli_* (i for improved) extension set, then the suggested mysqli_real_escape_string (or its object-oriented counterpart, see linked manual) is suggested for consistency.

If you use bound statements with MySQLi, or alternatively using PDO instead, you will not even need to escape due to the fact it treats data separately from the query itself, if used properly.

For encoding characters, you may wish to disallow HTML with htmlentities() or similar, if you wish to filter and allow specific HTML (i.e. b, i, u tags) then certainly use a filtering software such as HTML Purifier that is dedicated to security.

Feel free to enquire about further security.

Alexander.

[hoku_2000 _99]

Now, I just had someone suggest to me that I shouldnt use mysql_real_escape_string because I dont have users logging in to my database. Is it better use mysql_real_escape_string for a guestbook like I have?

[Alexander]

If variables or substitutions are being used in your SQL queries, and they are not solid and hard coded strings, then use proper sanitisation.

You yourself can cause a messy database error, if you forget to manually escape an apostrophe.

The only time you should not escape yourself is when you are using bound parameters with a proper SQL library (mysqli, PDO, adodb)

[hoku_2000 _99]

So, its ok to not use mysql_real_escape_string if I am just asking the user for a name, comment, and captcha code?

[WingedPanther]

Assume ALL data submitted by a user is malicious, until proven otherwise.

[hoku_2000 _99]

Its wise to use mysql_real_escape_string then?

[WingedPanther]

If you're sending data to the database, yes. Hackers aren't going to use a browser, they'll send raw data that contains whatever they want.

[gregwarner]

I have a policy when I'm writing code: Nothing touches my database unless it's gone through mysqli_real_escape_string first.

[hoku_2000 _99]

Ok. Now my next question is, I am not sure, how to use mysql_real_escape_string. This is my first time using it. Could I have an example, please?