Safely echo data from MySQL?
Posted: Sun Jul 22, 2012 2:56 am
This is the current code I have:
Is there anything that could speed up load times?
I'll explain the code a bit more:
This is a basic blog script (not the tutorial, but by general knowledge). All of the posts are coming from a MySQL database. Information would only ever be stored in it by an Moderator, Admin, Or SuperUser (I have my own account at Admin permission levels). The information is inserted much the same way as it is displayed above. The $_SESSION["perm_level"] this is so only people with permissions level 3 (Moderator) to 0 (SuperUser) will ever see the edit link (the edit page is protected much the same way). The DB connections are included in the main index.php page (this script is put into the home page via the PHP template system tutorial). And I heard something about being able to list table contents with the address bar. I think is stopped by "Magic quotes" or something, I haven't really looked into it. But I assume my hosts aren't stupid and have the module thing enabled. (I seriously don't know how it even works) Up to one image can be added per post, selecting yes or no then putting a URL when making a new post. The edit page is also secured, and authentication occurs.
I hope that wasn't too much reading :3
The MySQL DB structure looks like this:
<ul class="login_pane">
<?php
if(isset($_SESSION['log_usr'])) {
?>
<img src="http://cdn.stratuscraft.net/profile/ren ... ayer=<?php echo $_SESSION['log_usr']; ?>" height="20" width="20" /> <a href="/login/ucp.php"><font color="#666666" style="padding-left:6px"><?php echo $_SESSION['log_usr']; ?></font></a>
<?php
}else{
?>
<a href="/login/"><font color="#666666">Login</font></a>
<?php } ?>
</ul>
</li>
</ul>
</div>
<ul id="list_wrap" class="list_wrap_col2_c1">
<?php
while ( $show_posts = mysql_fetch_array($sql_result)) {
echo '<li class="list_box listbox_u1imgm">';
echo '<h2>'.mysql_real_escape_string(htmlentities($show_posts["post_title"])).'</h2>';
echo '<div class="expert"><p>';
echo '<p class="date">'.mysql_real_escape_string(htmlentities($show_posts["post_date"])).'</p>';
echo mysql_real_escape_string(htmlentities($show_posts["post_content"]));
echo '</p>';
if($show_posts["post_image"] == "TRUE") {
echo '<br />';
echo '<a rel="prettyPhoto[]" class="imgwrap" title="'.mysql_real_escape_string(htmlentities($show_posts["post_title"])).'" href="'.mysql_real_escape_string(htmlentities($show_posts["post_image_url"])).'">';
echo '<div class="back">';
echo '<div class="backbg"></div>';
echo '<div class="icoimage"></div>';
echo '</div>';
echo '<img title="'.mysql_real_escape_string(htmlentities($show_posts["post_title"])).'" alt="'.mysql_real_escape_string(htmlentities($show_posts["post_image_url"])).'" src="'.mysql_real_escape_string(htmlentities($show_posts["post_image_url"])).'"></a>';
}
echo '<p class="clum2_box_meta">Posted by <a href="http://profile.stratuscraft.net/?user=' ... ape_string(htmlentities($show_posts["post_creator"])).'">'.mysql_real_escape_string(htmlentities($show_posts["post_creator"])).'</a> in : News, Homepage</p>';
if($_SESSION["perm_level"] < 4) {
echo '<a class="edit_post_home" href="post.php?mode='.md5("edit").'&pid='.$show_posts["post_id"].'&orig='.$show_posts["post_creator"].'&titl='.$show_posts["post_title"].'&session='.md5(time("U")).'">Edit Post</a>';
}
echo '</div>';
echo '</li>';
}
?>
</ul>
To me, it looks safe. But are there any holes in this that could be exploited?Is there anything that could speed up load times?
I'll explain the code a bit more:
This is a basic blog script (not the tutorial, but by general knowledge). All of the posts are coming from a MySQL database. Information would only ever be stored in it by an Moderator, Admin, Or SuperUser (I have my own account at Admin permission levels). The information is inserted much the same way as it is displayed above. The $_SESSION["perm_level"] this is so only people with permissions level 3 (Moderator) to 0 (SuperUser) will ever see the edit link (the edit page is protected much the same way). The DB connections are included in the main index.php page (this script is put into the home page via the PHP template system tutorial). And I heard something about being able to list table contents with the address bar. I think is stopped by "Magic quotes" or something, I haven't really looked into it. But I assume my hosts aren't stupid and have the module thing enabled. (I seriously don't know how it even works) Up to one image can be added per post, selecting yes or no then putting a URL when making a new post. The edit page is also secured, and authentication occurs.
I hope that wasn't too much reading :3
The MySQL DB structure looks like this:
