forums.rs

Forums

RS-Linkify Thread is sticky

Quick find code: 261-262-33-65181208

of 1105
Indecent Act

Indecent Act

Posts: 7,456 Rune Posts by user Forum Profile RuneMetrics Profile
I was hoping Meredith would post :)

I haven't written anything using PDO, but I know a number of people who swear by it.

From what I understand the way PDO can bind values, in place of using parameters in sql queries is great for protecting against sql injection. I think that's basically what's happening in mySQLi (if used correctly), and why mysql will be all together depreciated. PDO syntax looks a lot friendlier too.

I'm seriously thinking about going with PDO or at least trying it next time I need to play with a DB.

25-Jan-2014 06:54:12

Meredith wtf

Meredith wtf

Posts: 4,160 Adamant Posts by user Forum Profile RuneMetrics Profile
If you're doing something like

$stmt = mysqli->prepare("SELECT * FROM table_name WHERE user = ?&quot ;) ;
$stmt->bind_param("s", trim($_GET['user']));
$stmt->execute();

Then, yeah, you're doing the same thing. It's just more cumbersome.

But if you use parameterized queries (not emulated) you really don't have anything to worry about as long as you're passing the right data type. You should control this using objects.

For example, I had to make a data type for the content of guides, which is an array of hypertext that doesn't contain JavaScript and is limited to certain tags:

public function getContent(){
// Strip uncommonly used tags, remove banned attributes
$contents = $_POST['content'];
foreach($contents as &$content){
if($content === "&quot ;) {
continue;
}
$content = strip_tags(trim($content), "<p><a><img><div><span><table><tr><td><th><h2><h3><h4><blockquote><ul><ol><li>&quot ;) ;
$content = stripslashes($content);

$dom = new DOMDocument;
$dom->loadHTML($content);

$nodes = $dom->getElementsByTagName('*');

foreach($nodes as $node){
if($node->hasAttributes()){
foreach($node->attributes as $attr){
$name = $attr->name;
$value = $attr->value;
switch($name){
case "id": break;
case "style": break;
case "src": break;
case "alt": break;
case "class": break;
case "href":
if(strpos($value, "javascript&quot ;) !== false){
$node->removeAttribute($name);
}
break;
default:
$node->removeAttribute($name);
break;
}
}
}
}

$content = $dom->saveXML($dom->documentElement->firstChild);
$content = strip_tags(trim($content), "<p><a><img><div><span><table><tr><td><th><h2><h3><h4><blockquote><ul><ol><li>&quot ;) ; // I run this again cuz saveXML likes to embed tags and I cbf making a better solution
}

return $contents;
}

Basically, I can't even touch the unsafe input. Unfortunately, $_POST is super global, but just make a rule to only touch it

25-Jan-2014 07:18:46

Meredith wtf

Meredith wtf

Posts: 4,160 Adamant Posts by user Forum Profile RuneMetrics Profile
only touch it in your accessor methods. Make 1 accessor for each data type, use parameterized queries, and you're 100% good.

In your case, it'd be something like this

public function getUsername(){
$username = substr(strip_tags(trim($_POST['username'])), 0, 12);
return $username;
}

25-Jan-2014 07:23:24

Indecent Act

Indecent Act

Posts: 7,456 Rune Posts by user Forum Profile RuneMetrics Profile
Sweet thanks Meredith, I wasn't 100% sure about what I said with PDO compared to mySQLi, it was more of an assumption based on what I know from using SQLi.

Fortunately all my data is only strings (with known characters and max length), timestamps (too easy) and integers (again has known min and max values). So it's pretty easy to sanitise or reject anything that doesn't belong.

I do tend to overkill with this kind of stuff but that's not always a bad thing.

25-Jan-2014 07:57:36

Bobhaz
Jun Member 2021

Bobhaz

Posts: 55,618 Emerald Posts by user Forum Profile RuneMetrics Profile
Cyanid said :
meredith ur like my #3 fav hlfer.


..::;;::..
¸¤¹´`¹¤¸
Your Friendly, Neighborhood
¸¤¹´`¹¤¸
..::;;::..
`¹¤¸¸¤¹´
..::;;::..
`¹¤¸¸¤¹´
Mustache
`¹¤¸¸¤¹´
..::;;::..
`¹¤¸¸¤¹´
who are your favs? :O

25-Jan-2014 12:42:08

Blasty
Feb Member 2017

Blasty

Posts: 9,319 Rune Posts by user Forum Profile RuneMetrics Profile
http://en.wikipedia.org/wiki/Sigil_(computer_programming)

Original message details are unavailable.
In computer programming, a sigil (/&#712;s&#618;d&#658;&#601;l/ or /&#712;s&#618;&#609;&#601;l/; plural sigilia or sigils) is a symbol attached to a variable name, showing the variable's datatype or scope, usually a prefix, as in $foo, where $ is the sigil.
...
Larry Wall adopted shell scripting's use of sigils for his Perl programming language. However, as Perl is a dynamically typed language, the sigils specify not fine-grained data-types like strings and integers, but the more general categories of scalars (using a prefixed "$&quot ;) , arrays (using "@&quot ;) , hashes (using "%&quot ;) , and subroutines (using "&&quot ;) .
...
In the PHP language, which was largely inspired by Perl, "$" precedes any variable name. Names not prefixed by this are considered constants or functions.

i

­­
­­<
Blasty
the Blue
>­­
­­
Blasty
// @BlastytheBlue // Blasty#5167
| Co-owner of Mine Nation

25-Jan-2014 12:44:28

agen
Oct Member 2011

agen

Posts: 2,597 Adamant Posts by user Forum Profile RuneMetrics Profile
Cyanid said :
meredith ur like my #3 fav hlfer.


..::;;::..
¸¤¹´`¹¤¸
Your Friendly, Neighborhood
¸¤¹´`¹¤¸
..::;;::..
`¹¤¸¸¤¹´
..::;;::..
`¹¤¸¸¤¹´
Mustache
`¹¤¸¸¤¹´
..::;;::..
`¹¤¸¸¤¹´
She's definitely in my top 2

25-Jan-2014 18:21:53

Quick find code: 261-262-33-65181208 Back to Top