Jump to content

Validation + Real Escape?


torque
 Share

Recommended Posts

I am wondering what the standards are for this.If you real escape your form input data do you need to validate the entry?Everytime I try to use validation options it seems to decrease user friendliness.Nothing is posted directly to the site it gets filtered by a person first. Is this just too old-fashioned or is it a suitable circumstance to leave out the validation?I appreciate your thoughts!

Link to comment
Share on other sites

The only thing mysql(i)_real_escape_string() does is to prevent SQL injection attacks. Nothing more and nothing less.SQL injection attack is when an attacker tries to use a field to influence the whole of your SQL query, thereby forcing it to do stuff it wasn't meant to do, potentially giving away useful information in the process.Other kinds of validation include what you allow in the database for various other reasons. For example, you may want to make sure that an "email" field contains a valid email that you could at least try to contact. If it doesn't contain a valid email, you may end up letting an attacker perform "mail header injection attack"... similar to an SQL injection, only instead of getting control of an SQL query, an attacker gets control of an SMTP server, potentially sending SPAM emails, or worse yet - presenting himself as you, and luring people into typing their passwords on another site.The only way you can be sure that you're "hacker free" (or at least "almost" hacker free) is to validate all of your user input, and decline anything that doesn't fit expectations. Of course, for the sake of user experience, you should have good error messages, fill out the form fields as they were, etc.

Edited by boen_robot
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...