1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

Why is the DB on this forum so dodgy?

Collapse
X
21 to 27 of 27 Previous 1 2 3 template Next
Collapse
Reply to Thread
  •  
  • Filter
  • Time
  • Show
Clear All
new posts
21 to 27 of 27 Previous 1 2 3 template Next
    #21
    I view strings as array of bytes, do I need to escape numbers too?

    Comment

      #22
      Originally posted by Cowboy Bob
      I've yet to meet any other sort. Just look here - http://thedailywtf.com/forums/thread/87226.aspx - where they're all banging on about using escaped strings to pass into SQL statements. And these guys nearly all seem to think they're experts.

      (If you have to question why escaping strings is bad, put yourself into the aforementioned category).
      Do you mean that strings should never be passed through, and the query should be abstracted from the actual SQL call - if so, I entirely agree.

      To illustrate...

      If an app needs to return a record for a an Engineering Part, let's say, then the app should provide a GetPartRecordByNo(string partNo) method.

      Rather than GetWhateverIWant("SELECT * FROM TABLE_PARTS");

      It's only right!

      You've come right out the other side of the forest of irony and ended up in the desert of wrong.

      Comment

        #23
        I use PHP quite regularly. My code DOES escape strings, but safely:

        Code:
        	/**
	 * Login and set cookie etc.
	 */
	function security_login($email_address, $password, $remember_me) {
		$sql = sprintf("SELECT user_id FROM user WHERE email_address = '%s' AND password = MD5('%s');", 
			mysql_escape_string($email_address), 
			mysql_escape_string($password));
		print_r($this->database->querySingleRow($sql));
	}
        Note - that is seriously unfinished part of the app's API.
        Serving religion with the contempt it deserves...

        Comment

          #24
          Originally posted by TheMonkey
          I use PHP quite regularly. My code DOES escape strings, but safely:

          Code:
          	/**
	 * Login and set cookie etc.
	 */
	function security_login($email_address, $password, $remember_me) {
		$sql = sprintf("SELECT user_id FROM user WHERE email_address = '%s' AND password = MD5('%s');", 
			mysql_escape_string($email_address), 
			mysql_escape_string($password));
		print_r($this->database->querySingleRow($sql));
	}
          Note - that is seriously unfinished part of the app's API.
          Ding, you're a winner!!! You should never escape strings to pass into DB queries - it's inherantly unsafe with regards to SQL injection. I know you're going to say that the mysql_escape_string escapes the string to make it safe, but how do you know it catches ALL eventualities? It's such a weak point, don't trust it. There are better ways. You should always use parameterized queries. I understand PHP has something called PearDB that can do this. A PreparedStatement is what it's called in the Java world.
          Listen to my last album on Spotify

          Comment

            #25
            Originally posted by bogeyman
            Do you mean that strings should never be passed through, and the query should be abstracted from the actual SQL call - if so, I entirely agree.

            To illustrate...

            If an app needs to return a record for a an Engineering Part, let's say, then the app should provide a GetPartRecordByNo(string partNo) method.

            Rather than GetWhateverIWant("SELECT * FROM TABLE_PARTS");

            It's only right!
            Nope. It should be something like this - in whatever syntax you prefer:-

            Code:
            PreparedStatement stmt = connection.prepareStatement("select * from table_parts where partNo = ?");
stmt.setString(1, partNo);
stmt.execute();
            This leaves the string escaping to the DB itself, which is a much better way of doing things as it is more likely to know what's best.
            Listen to my last album on Spotify

            Comment

              #26
              Yeah the mysqli extension does that using recent mysql client libs. Only problem is that 90% of crappy php web hosts don't use it.

              mysql_escape_string IS safe. I've read the source code!
              Serving religion with the contempt it deserves...

              Comment

                #27
                All very interesting indeed

                but where's the abuse?
                Or at least a picture of some tits? (cue the hysterical pictures of parus major)
                Why not?

                Comment

                Reply to Thread
                21 to 27 of 27 Previous 1 2 3 template Next

                Advertisers

                1. Contracting
                  1. General
                    1. Brexit
                  2. Business / Contracts
                    1. Coronavirus Assistance
                  3. Accounting / Legal
                    1. Umbrella Companies
                    2. HMRC Scheme Enquiries
                    3. The Future of Contracting
                    4. IR35 Reform
                  4. Technical
                  5. Welcome / FAQs
                2. Social
                  1. Light Relief
                  2. Social / Events
                Working...
                X