MySQL/PHP: Check data length before INSERT?

Re: MySQL/PHP: Check data length before INSERT?

Randell D. wrote:
[color=blue]
> I've heard of buffer overflows being used/abused by hackers and believe one
> method to reduce this from happening is to check the length of my form data
> before writing it to my MySQL database.[/color]

MySQL should cut it for you, if it is too long to fit, but of course it
is smart ti check it before inserting it to table, because you never
know if there is a bug in MySQL.
[color=blue]
> At the moment, I pass all my data through htmlentities() before writing to
> my database. Is this enough? Should I check each individual columns length
> first, or perhaps the overall content length to fit within the maximum
> record length?[/color]

Wouldn't it be smart to check it and inform the user that data doesn't
fit? That is propably better than just cuttting end off.
[color=blue]
> I found a function called mysql_escape_st ring() and have thought of using
> it - but other than strip_slashes() , I don't know the reverse (unless
> strip_slashes() is the recommended opposite of mysql_escape_st ring()).[/color]

You don't need to reverse mysql_escape_st ring() when reading. Just be
sure to call it before writing, because if you don't, you propably have
the most common security hole in your application.

Re: MySQL/PHP: Check data length before INSERT?


"Aggro" <spammerdream@y ahoo.com> wrote in message
news:4IOKb.27$m Y.14@read3.inet .fi...[color=blue]
> Randell D. wrote:
>[color=green]
> > I've heard of buffer overflows being used/abused by hackers and believe[/color][/color]
one[color=blue][color=green]
> > method to reduce this from happening is to check the length of my form[/color][/color]
data[color=blue][color=green]
> > before writing it to my MySQL database.[/color]
>
> MySQL should cut it for you, if it is too long to fit, but of course it
> is smart ti check it before inserting it to table, because you never
> know if there is a bug in MySQL.
>[color=green]
> > At the moment, I pass all my data through htmlentities() before writing[/color][/color]
to[color=blue][color=green]
> > my database. Is this enough? Should I check each individual columns[/color][/color]
length[color=blue][color=green]
> > first, or perhaps the overall content length to fit within the maximum
> > record length?[/color]
>
> Wouldn't it be smart to check it and inform the user that data doesn't
> fit? That is propably better than just cuttting end off.
>[color=green]
> > I found a function called mysql_escape_st ring() and have thought of[/color][/color]
using[color=blue][color=green]
> > it - but other than strip_slashes() , I don't know the reverse (unless
> > strip_slashes() is the recommended opposite of mysql_escape_st ring()).[/color]
>
> You don't need to reverse mysql_escape_st ring() when reading. Just be
> sure to call it before writing, because if you don't, you propably have
> the most common security hole in your application.
>[/color]

Thanks... I have javascript checks on the form field lengths - but my
concern was on folks who try to work their around these tests... I know
MySQL will cut the data but (and I'm probably mixing things up here) I have
read of some bugs being abused on an MS environment whereby hackers somehow
managed to write data after the NULL character (which would normally
terminate a string I think).

Hence I wanted to make sure I was writing the data in some environmentally
friendly way...

Thanks though,
randell d.

Re: MySQL/PHP: Check data length before INSERT?

Randell D. wrote:
[color=blue]
> Thanks... I have javascript checks on the form field lengths - but my
> concern was on folks who try to work their around these tests... I know
> MySQL will cut the data but (and I'm probably mixing things up here) I have
> read of some bugs being abused on an MS environment whereby hackers somehow
> managed to write data after the NULL character (which would normally
> terminate a string I think).[/color]

If you use javascript to check the strings, you also need to do checking
at the server using php. You need to do this because:
- A lot of people don't have javascript or it isn't enabled, and they
deserver to know the error also, don't they?
- Security rule number 1: Always check that user input is valid.

Note, that you can still use javascript, if you think that you gain more
than lose with it:
- Extra work (implementation and upkeep)
- Some errors with some browsers might appear which won't look good in
the users eyes
+ It might decrease the server load a little, because in normal scenario
server needs to validate data only once (because javascript handles most
user errors without bothering server)
+ It might be more userfriendly in some cases. For example a counter
that counts the characters that user has inputted so that user can see
in real time how much more he/she can write.

Re: MySQL/PHP: Check data length before INSERT?

Randell D. wrote:[color=blue]
> "Aggro" <spammerdream@y ahoo.com> wrote in message
> news:4IOKb.27$m Y.14@read3.inet .fi...[color=green]
>> Randell D. wrote:
>>[color=darkred]
>>> I've heard of buffer overflows being used/abused by hackers and
>>> believe one method to reduce this from happening is to check the
>>> length of my form data before writing it to my MySQL database.[/color]
>>
>> MySQL should cut it for you, if it is too long to fit, but of course
>> it is smart ti check it before inserting it to table, because you
>> never know if there is a bug in MySQL.
>>[color=darkred]
>>> At the moment, I pass all my data through htmlentities() before
>>> writing to my database. Is this enough? Should I check each
>>> individual columns length first, or perhaps the overall content
>>> length to fit within the maximum record length?[/color]
>>
>> Wouldn't it be smart to check it and inform the user that data
>> doesn't fit? That is propably better than just cuttting end off.
>>[color=darkred]
>>> I found a function called mysql_escape_st ring() and have thought of
>>> using it - but other than strip_slashes() , I don't know the reverse
>>> (unless strip_slashes() is the recommended opposite of
>>> mysql_escape_st ring()).[/color]
>>
>> You don't need to reverse mysql_escape_st ring() when reading. Just be
>> sure to call it before writing, because if you don't, you propably
>> have the most common security hole in your application.
>>[/color]
>
> Thanks... I have javascript checks on the form field lengths - but my
> concern was on folks who try to work their around these tests... I
> know MySQL will cut the data but (and I'm probably mixing things up
> here) I have read of some bugs being abused on an MS environment
> whereby hackers somehow managed to write data after the NULL
> character (which would normally terminate a string I think).[/color]

Alright, I'm going to jump in just to prevent any further confusion. A
buffer overrun is where you allocate a block of memory of fixed size, and
then read in an arbitrary amount of data which may run past the end of the
block of memory you have allocated (the buffer), overwriting memory that
could potentially be executed. Since you have no memory management abilities
in PHP, this is not anything that you as a user of PHP need to be concerned
about. It has nothing to do with writing past a null character, it's simply
a matter of reading in data of arbitrary size into a block of memory of
fixed size.

Re: MySQL/PHP: Check data length before INSERT?

On Wed, 07 Jan 2004 05:32:05 GMT, "Randell D."
<reply.to.news. group.only@and. share.com> wrote:
[color=blue]
>At the moment, I pass all my data through htmlentities() before writing to
>my database. Is this enough? Should I check each individual columns length
>first, or perhaps the overall content length to fit within the maximum
>record length?[/color]

You should store your data as raw as possible and only use
htmlentities() when outputting it in an HTML context.
[color=blue]
>I found a function called mysql_escape_st ring() and have thought of using
>it - but other than strip_slashes() , I don't know the reverse (unless
>strip_slashes( ) is the recommended opposite of mysql_escape_st ring()).[/color]

addslashes() and stripslashes()

--
David ( @priz.co.uk )

Re: MySQL/PHP: Check data length before INSERT?


"Agelmar" <ifetteNOSPAM@c omcast.net> wrote in message
news:btif7q$7a7 q4$1@ID-30799.news.uni-berlin.de...[color=blue]
> Randell D. wrote:[color=green]
> > "Aggro" <spammerdream@y ahoo.com> wrote in message
> > news:4IOKb.27$m Y.14@read3.inet .fi...[color=darkred]
> >> Randell D. wrote:
> >>
> >>> I've heard of buffer overflows being used/abused by hackers and
> >>> believe one method to reduce this from happening is to check the
> >>> length of my form data before writing it to my MySQL database.
> >>
> >> MySQL should cut it for you, if it is too long to fit, but of course
> >> it is smart ti check it before inserting it to table, because you
> >> never know if there is a bug in MySQL.
> >>
> >>> At the moment, I pass all my data through htmlentities() before
> >>> writing to my database. Is this enough? Should I check each
> >>> individual columns length first, or perhaps the overall content
> >>> length to fit within the maximum record length?
> >>
> >> Wouldn't it be smart to check it and inform the user that data
> >> doesn't fit? That is propably better than just cuttting end off.
> >>
> >>> I found a function called mysql_escape_st ring() and have thought of
> >>> using it - but other than strip_slashes() , I don't know the reverse
> >>> (unless strip_slashes() is the recommended opposite of
> >>> mysql_escape_st ring()).
> >>
> >> You don't need to reverse mysql_escape_st ring() when reading. Just be
> >> sure to call it before writing, because if you don't, you propably
> >> have the most common security hole in your application.
> >>[/color]
> >
> > Thanks... I have javascript checks on the form field lengths - but my
> > concern was on folks who try to work their around these tests... I
> > know MySQL will cut the data but (and I'm probably mixing things up
> > here) I have read of some bugs being abused on an MS environment
> > whereby hackers somehow managed to write data after the NULL
> > character (which would normally terminate a string I think).[/color]
>
> Alright, I'm going to jump in just to prevent any further confusion. A
> buffer overrun is where you allocate a block of memory of fixed size, and
> then read in an arbitrary amount of data which may run past the end of the
> block of memory you have allocated (the buffer), overwriting memory that
> could potentially be executed. Since you have no memory management[/color]
abilities[color=blue]
> in PHP, this is not anything that you as a user of PHP need to be[/color]
concerned[color=blue]
> about. It has nothing to do with writing past a null character, it's[/color]
simply[color=blue]
> a matter of reading in data of arbitrary size into a block of memory of
> fixed size.
>
>[/color]

Great - An answer... and one that I can understand too...

Cheers
Randell D.

Re: MySQL/PHP: Check data length before INSERT?


"David Mackenzie" <me@privacy.net > wrote in message
news:cfdqvvo73b il41igivi36fm2s h0bov8t34@4ax.c om...[color=blue]
> On Wed, 07 Jan 2004 05:32:05 GMT, "Randell D."
> <reply.to.news. group.only@and. share.com> wrote:
>[color=green]
> >At the moment, I pass all my data through htmlentities() before writing[/color][/color]
to[color=blue][color=green]
> >my database. Is this enough? Should I check each individual columns[/color][/color]
length[color=blue][color=green]
> >first, or perhaps the overall content length to fit within the maximum
> >record length?[/color]
>
> You should store your data as raw as possible and only use
> htmlentities() when outputting it in an HTML context.
>[color=green]
> >I found a function called mysql_escape_st ring() and have thought of using
> >it - but other than strip_slashes() , I don't know the reverse (unless
> >strip_slashes( ) is the recommended opposite of mysql_escape_st ring()).[/color]
>
> addslashes() and stripslashes()
>
> --
> David ( @priz.co.uk )[/color]

Thanks...