I've made a simple forum in which uses can create a username which is stored in a database. I heard that if you allow certain characters then people can do damage to the database. I can't seem to find a list of these characters so I was wondering if anyone knows what they are, and maybe how to make them usable using php.it has nothing to do with the characters as so much as code.
when you add something to the database you need to use thse functions
addslashes();
htmlspecialchars();
so it looks like so
htmlspecialchars(addslashes($var));
that will save you a lot of torment.To prevent SQL injection and so forth, I think you're better off using the functions in the opposite order, as such:
addslashes(htmlspecialchars($string));
It makes a difference since with the other way around, you would end up html-encoding the slashes that addslashes() added.that doesn't make since. once you addslashes it will be safe even if you don't use htmlspecialchars.
if you change it with htmlspecialchar then what good will addslashes be since you just changed the quote to a ascii code?
the way I have is the best way.My way is the best.
My way will first convert all tags and symbols to harmless html entities. addslashes isn't really required once that is done, but it doesn't do any harm being there either.
"that doesn't make since. once you addslashes it will be safe even if you don't use htmlspecialchars."
Sure, safe to put in the database, but maybe dangerous to include on your page later.
But why do you then do this:
htmlspecialchars(addslashes($var));
?? You're saying one thing and doing another.
"if you change it with htmlspecialchar then what good will addslashes be since you just changed the quote to a ascii code?"
htmlspecialchars() does not convert anything to ASCII code, it converts 'special' symbols to HTML entities.
Read here, I think they know.
<!-- m --><a class="postlink" href="http://de.php.net/manual/en/function.htmlspecialchars.php">http://de.php.net/manual/en/function.ht ... lchars.php</a><!-- m -->
Try the following script:
<?php
$string = "\"hello\"";
$string1 = htmlspecialchars(addslashes($string));
$string2 = addslashes(htmlspecialchars($string));
echo $string1."<br>\n";
echo $string2."<br>\n";
?>
Run that and check the source of the output. The first row being your way, and the second way being my way. You will stuff the database with lots of unnecessary slashes. Using only addslashes() would use even less space in the database, than my way, but it might be heavy on resources having to run htmlspecialchars() every time on output.
My 2 cents, you're welcome to prove me wrong.Originally posted by Rydberg
But why do you then do this:
htmlspecialchars(addslashes($var));
?? You're saying one thing and doing another.
but "it doesn't do any harm being there either."
Originally posted by Rydberg
htmlspecialchars() does not convert anything to ASCII code, it converts 'special' symbols to HTML entities.
Read here, I think they know.
<!-- m --><a class="postlink" href="http://de.php.net/manual/en/function.htmlspecialchars.php">http://de.php.net/manual/en/function.ht ... lchars.php</a><!-- m -->
Try the following script:
I didn't mean ascii code but html entities. I just had ascii on my mind when I wrote it.
I am not trying to prove you wrong, just somethings look wierd if you do it one way for years and then see a different way down the road. I think I know what it does.
it never hurst to be safe. no matter which way you do it.
when you add something to the database you need to use thse functions
addslashes();
htmlspecialchars();
so it looks like so
htmlspecialchars(addslashes($var));
that will save you a lot of torment.To prevent SQL injection and so forth, I think you're better off using the functions in the opposite order, as such:
addslashes(htmlspecialchars($string));
It makes a difference since with the other way around, you would end up html-encoding the slashes that addslashes() added.that doesn't make since. once you addslashes it will be safe even if you don't use htmlspecialchars.
if you change it with htmlspecialchar then what good will addslashes be since you just changed the quote to a ascii code?
the way I have is the best way.My way is the best.
My way will first convert all tags and symbols to harmless html entities. addslashes isn't really required once that is done, but it doesn't do any harm being there either.
"that doesn't make since. once you addslashes it will be safe even if you don't use htmlspecialchars."
Sure, safe to put in the database, but maybe dangerous to include on your page later.
But why do you then do this:
htmlspecialchars(addslashes($var));
?? You're saying one thing and doing another.
"if you change it with htmlspecialchar then what good will addslashes be since you just changed the quote to a ascii code?"
htmlspecialchars() does not convert anything to ASCII code, it converts 'special' symbols to HTML entities.
Read here, I think they know.
<!-- m --><a class="postlink" href="http://de.php.net/manual/en/function.htmlspecialchars.php">http://de.php.net/manual/en/function.ht ... lchars.php</a><!-- m -->
Try the following script:
<?php
$string = "\"hello\"";
$string1 = htmlspecialchars(addslashes($string));
$string2 = addslashes(htmlspecialchars($string));
echo $string1."<br>\n";
echo $string2."<br>\n";
?>
Run that and check the source of the output. The first row being your way, and the second way being my way. You will stuff the database with lots of unnecessary slashes. Using only addslashes() would use even less space in the database, than my way, but it might be heavy on resources having to run htmlspecialchars() every time on output.
My 2 cents, you're welcome to prove me wrong.Originally posted by Rydberg
But why do you then do this:
htmlspecialchars(addslashes($var));
?? You're saying one thing and doing another.
but "it doesn't do any harm being there either."
Originally posted by Rydberg
htmlspecialchars() does not convert anything to ASCII code, it converts 'special' symbols to HTML entities.
Read here, I think they know.
<!-- m --><a class="postlink" href="http://de.php.net/manual/en/function.htmlspecialchars.php">http://de.php.net/manual/en/function.ht ... lchars.php</a><!-- m -->
Try the following script:
I didn't mean ascii code but html entities. I just had ascii on my mind when I wrote it.
I am not trying to prove you wrong, just somethings look wierd if you do it one way for years and then see a different way down the road. I think I know what it does.
it never hurst to be safe. no matter which way you do it.