On Mon, 2005-03-21 at 21:29 -0700, Joseph Sinclair wrote:
> 2 items:
> 1) Unless your platform forces it, don't build SQL strings anywhere.
> SQL should be static strings using bind variables (also known as
> prepared statements, look it up in the reference for the SQL interface
> you're using). Dynamic SQL is susceptible to SQL injection, and makes
> the entire site difficult to maintain and simultaneously easy to break
> (both from a cracker standpoint, and from a maintenance standpoint).
----
duly noted before and again - makes perfectly good sense - limited
opportunity to do much mischief here but duly noted. I think that is
what I am doing - a specific string with one variable to expand.
Of course the previous warning is much more to the point...if I have a
php file that expects a complete sql search string to operate, someone
could probably craft a methodology to send an entirely different string
than something I had intended - which could have consequences beyond the
damage that I am doing myself ;-)
Of course, if the 'users' and 'password' employed in this operation only
have access to a single db - then the only damage they could do is to
this db or the tables of this db.
----
>
> 2) To pass quoted strings in (X)HTML, you have to escape the quotes.
> (X)HTML escapes characters differently from most programming
> languages, and you have to follow it's rules. The mistake in your
> code is that you're trying to use PHP escapes in HTML text, and that
> won't work, since HTML doesn't consider the [\] character an escape
> character in attribute content.
> As an example, here's your string escaped for (X)HTML:
> "SELECT * from horde_datatree WHERE user_uid = "jennifer"
> AND (group_uid = 'horde.shares.kronolith' OR group_uid =
> 'horde.shares.nag' OR group_uid =
> 'horde.shares.imp' OR group_uid =
> 'horde.shares.turba' OR group_uid =
> 'horde.shares.mnemo')"
>
> Note: " is used for ["] and ' is used for [']. Other
> character references may be inserted as needed, the full list is
> available at (www.w3.org). For characters without a defined entity,
> the Unicode escape (&#NNNN; where NNNN is the decimal Unicode
> character value) may also be used. the full details of character
> escaping in XML and HTML are found in the specs available at
> (www.w3.org).
----
I see said the blind man - of course I knew this but only considered it
in terms of html and to me - the html is the obstruction here and I've
been trying to live with it's ugliness only as little as necessary.
the &apos / " stuff is a curveball...I'm simply trying to recycle
the string I used to locate records in sql db and do it again the same
way (removing the records not indicated by checkbox - see previous
detailed description) - I'm gathering the best way to handle this is to
send the 'unexpanded' string and the variable through the POST and
rebuild the string again in the target.
In my mind, I'm passing variables from php to php but because I need the
html interactivity, I have to deal with it's rules.
----
>
> Many languages have open source libraries available to escape the
> characters in a string for XML/HTML, check around to see if there's
> one for your application.
>
----
IANAP (I am not a programmer) and of course this can be rather
befuddling - writing php, using html as my interactive medium and
speaking to sql db - a lot of balls in the air for someone with so
little coordination ;-)
I feel like I have gotten some terrific answers - as I seem to get from
this list - I love this list - thanks Joseph - and Patrick and Ted
Thanks
Craig
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)