I was seeing cross reference and thought I would ask it.
I don't exactly know where should I use the intval & escape string as prefixes. For example in member.php;
$query = $db->simple_select("users", "*", "LOWER(username)='".$db->escape_string(my_strtolower($mybb->input['username']))."'");
Next for intval:
$query = $db->simple_select("users", "*", "uid='".intval($mybb->input['uid'])."'");
So I am slightly confused. Also question arises if any of these (I believe first one mostly) would not be used, the input wouldn't be sanitized and the script would be open to SQL injection?
So how is the usage of first and second one occurs in most cases, just wanted to know so I can keep a notice off while developing things in future.
Regards.
intval() will make sure the input is an integer. That should be used on user input which is expected to be a number.
$db->escape_string() should be used on user input which could be variable.
See:
this and
this
No user input should ever be trusted and it should always be sanatized otherwise there is a high chance it could lead to an SQLi vulnerability.
If you dont use "escape_string" on user inputs your leaving yourself open to sql injection, as users would be able to use characters that are associated with database queries. Therefore altering the queries in some cases.
Lets say I develop a custom PHP form with textbox whose values would be stored in to database after the form is submitted, say page2.php with form on page1.php like:
Name <input type="text" name="name" />
And then in page2.php I would be connecting to db first (considering Non MyBB as an example) then for the sake of ease of use, I could call the $_POST variables as $name = $_POST['name']; and then make it store into db table like, say for example;
mysql_query("INSERT INTO `mytable_name` VALUES ('$name')");
then it would be still open to injection or there is no need to be any input sanitized here?
Yes, because your allowing raw text / charachters to be directly inserted into the database.
As I stated, all user input needs to be sanatized. You cannot trust any user input.
For example if a user inserts something like:
WHERE 'table_name' = '1'
You query then becomes:
mysql_query("INSERT INTO `mytable_name` VALUES WHERE 'table_name' = '1'");
Or something to that effect
And how would I prevent it considering the example I used above? Any ideas. Its a shame that after the example I just pointed out, the other examples on web are also based the same way without sanitizing.
Using the escape_string lol, you posted an example yourself in the first post. That will remove special characters in the string thats inserted into the textfield once its submitted.
LOL, things are so confusing, well, at certain times.
So I assume considering the recent NON MyBB example that I posted, when I grab the post variable like:
$name = $_POST['name'];
I would be using below instead:
$name = mysql_real_escape_string($_POST['name']);
and then adding normally to db like:
mysql_query("INSERT INTO `mytable_name` VALUES ('$name')");
be fine?
Cheers.