MySQL/PHP: Check data length before INSERT?

Re: MySQL/PHP: Check data length before INSERT?

Randell D. wrote:
[color=blue]
> I've heard of buffer overflows being used/abused by hackers and believe one
> method to reduce this from happening is to check the length of my form data
> before writing it to my MySQL database.[/color]

MySQL should cut it for you, if it is too long to fit, but of course it
is smart ti check it before inserting it to table, because you never
know if there is a bug in MySQL.
[color=blue]
> At the moment, I pass all my data through htmlentities() before writing to
> my database. Is this enough? Should I check each individual columns length
> first, or perhaps the overall content length to fit within the maximum
> record length?[/color]

Wouldn't it be smart to check it and inform the user that data doesn't
fit? That is propably better than just cuttting end off.
[color=blue]
> I found a function called mysql_escape_st ring() and have thought of using
> it - but other than strip_slashes() , I don't know the reverse (unless
> strip_slashes() is the recommended opposite of mysql_escape_st ring()).[/color]

You don't need to reverse mysql_escape_st ring() when reading. Just be
sure to call it before writing, because if you don't, you propably have
the most common security hole in your application.