PHP: Does base64_encode protect from mysql injections? -

-

i'm trying set php page safely accept file upload (a resume), store mysql blob, , provide download later. when download pdfs later viewing, seem corrupted , won't open properly.

thanks question jgoettsch (php: reversing mysql_real_escape_string's effects on binary), realized feeding file data through mysql_real_escape_string (to prevent injection) might corrupt file contents, , got idea pass binary through base64_encode() instead, , use base64_decode() before download.

here's mockup code demonstrating i'm doing (which not working):

the upload:

<?  // file contents $cv_pointer = fopen($_files['cv']['tmp_name'], 'r'); $cv_content = fread($cv_pointer, filesize($_files['cv']['tmp_name'])); fclose($cv_pointer);  // insert sql $sql = sprintf("insert documents (name, file, size, date_uploaded)   values ('%s', '%s', '%s', now())",     mysql_real_escape_string($_files['cv']['name']),     mysql_real_escape_string($cv_content),     mysql_real_escape_string($_files['cv']['size'])); $result = mysql_query($sql); ?>

and download:

<?  if (isset($_get['view_cv'])) {   $cv = mysql_fetch_assoc($rsapplicationcv);    header("content-length: ".$cv['size']);    header("content-type: application/pdf");    header("content-disposition: attachment; filename=".$cv['name']);   echo $cv['file'];   exit(); } ?>

here questions:

  1. if have file upload field, field vulnerable sql injection? or worrying unnecessarily? file upload task simpler if pass binary blob field without translations.
  2. if feed uploaded file contents through base64_encode(), tantamount sanitization? or should encode additionally pass encoded string through mysql_real_escape_string?
  3. this seems lot of effort store , fetch pdf. there simpler solution common need, haven't stumbled on yet?

thanks in advance!

q if have file upload field, field vulnerable sql injection?

a yes (sort of. it's not fields on form vulnerable sql injection; vulnerability in code handles values submitted in request.)

q or worrying unnecessarily?

a no. should aware of potential bad things happen, , write code in way prevents vulnerabilities being exposed (and exploited.)

q if feed uploaded file contents through base64_encode(), tantamount sanitization?

a it's there, long base64_encode guarantees returned value contain [a-za-z0-9+./=]. best practice use bind parameters

q or should encode additionally pass encoded string through mysql_real_escape_string?

a barring use of prepared statements bind parameters, best practice dictates values (including base64_encoded values) run through mysql_real_escape_string if being included in sql text submitted database.


Comments

Post a Comment

Popular posts from this blog

c++ - Creating new partition disk winapi -

-
i'am trying create new partition , mount volume new, thought createfile let me this, code : lpctstr lpfilename=l"\\\\.\\device\\harddisk0\\partition3"; handle handl=createfile( lpfilename, generic_read | generic_write, file_share_read | file_share_write, null, create_always, file_attribute_normal, null ); if (handl==invalid_handle_value) { qdebug()<<"handl invalid"<<" error"<<getlasterror();} bool success = definedosdevice(ddd_raw_target_path,l"i:",l"\\device\\harddisk0\\partition3"); if(!success) qdebug()<<" definedosdevice failed "<<getlasterror(); bflag = getvolumenameforvolumemountpoint( l"i:\\", // input volume mount point or directory /** u in dir
Read more

Android Prevent Bluetooth Pairing Dialog -

-
i'm developing internal application uses bluetooth printing. want bluetooth pairing occur without user input. have managed working trapping android.bluetooth.device.action.pairing_request broadcast. in broadcast receiver call setpin method, , pairing works ok, bluetoothpairingdialog displayed second or two, disappears - see link below. https://github.com/android/platform_packages_apps_settings/blob/master/src/com/android/settings/bluetooth/bluetoothpairingdialog.java since broadcast non-ordered, can't call abortbroadcast() , , wondering if there other way prevent pairing dialog appearing. can hook window manager in way? i haven't been able come way without modifying sdk. if you're oem, it's easy (i'm on 4.3): in packages/apps/settings/androidmanifest.xml, comment intent filter pairing dialog: <activity android:name=".bluetooth.bluetoothpairingdialog" android:label="@string/bluetooth_pairing_request"
Read more

VBA function to include CDATA -

-
i have following function include cdata: function cdatasection() dim objdom domdocument dim objkmlrootelement ikmldomelement dim objkmlelement ikmldomelement dim cdata ikmldomcdatasection set objdom = new domdocument set objkmlrootelement = objdom.createelement("balloonstyle") objdom.appendchild objkmlrootelement set objkmlelement = objdom.createelement("text") objkmlrootelement.appendchild objkmlelement set cdata = objdom.createcdatasection("text") cdata.data = "<![cdata[<b>latitude = $[latitude]</b>?]]>;" end function when run above, getting error "user defined data type not found" function. yes ripster says find library reference. vba window tools>references for list of relevant references see... http://msdn.microsoft.com/en-us/library/windows/desktop/ms763701%28v=vs.85%29.aspx however, if have hard time tracking down reference, replace dim sta
Read more