O'Reilly logo

Managing & Using MySQL, 2nd Edition by Hugh E. Williams, Randy Yarger, George Reese, Tim King

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Securing User Data

The clean( ) function in the include file db.inc makes user input secure. The function is shown in Example 11-3, and it takes two parameters: the user $input and the maximum length $maxlength that is expected. It returns the clean user data.

The clean( ) function uses the PHP library string function substr( ) to reduce the length of the $input to its desired maximum. It then uses the PHP library function EscapeShellCmd( ) to insert backslash characters before selected characters—such as semicolons, backslashes, greater-thans, and less-thans—so that their special meanings in Unix shells are nullified or escaped. These two steps are usually sufficient to ensure that users cannot maliciously add extra clauses to SQL queries and cannot manipulate other MySQL library functions.

Warning

Never trust user input or network data.

You should preprocess all user data by escaping special shell characters and ensuring that the data does not exceed a maximum length. A function such as clean( ) in our db.inc include file is useful for this task.

The automatic initialization of variables by the PHP engine also presents a minor security risk. The engine initializes variables in a certain order (defined in PHP’s configuration file php.ini ), which presents the possibility that a variable can be initialized twice, with the second value overwriting the first. For example, by default, the PATH environment variable, which tells the PHP engine where to look for programs, is one of ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required