Page 1 of 1

mysql_real_escape_string() : Works or not?

Posted: Fri Dec 09, 2011 9:30 pm
by Aristona
Hey,

I just wrote my database class. I am sanitizing each parameter with mysql_real_escape_string() automatically.

This is the query output after sanitization:

Code: Select all

UPDATE PAGE SET content = 'Hello world. \';();\'' WHERE id = '11'
As you can see, it automatically adds backslashes to the left side of ' characters, however, when I browse my MYSQL table, I can't see these \ symbols.

So my question is, what could be the reason I can't see backslashes in my MYSQL table? Is it a normal thing?

Re: mysql_real_escape_string() : Works or not?

Posted: Fri Dec 09, 2011 9:53 pm
by twinedev
The backslashes are so that SQL knows that those single quotes are part of the string, and NOT closing the string. Therefore you will not see them in the database.

-Greg

Re: mysql_real_escape_string() : Works or not?

Posted: Fri Dec 09, 2011 10:35 pm
by Aristona
Hey greg,

Thanks for your reply.

Does this mean I should not be worrying about SQL Injection? (cause I thought mysql_real_escape_string() wasn't working properly due to no backslashes in database.)

Re: mysql_real_escape_string() : Works or not?

Posted: Sat Dec 10, 2011 9:33 am
by Aristona
Bumpin' once.

Re: mysql_real_escape_string() : Works or not?

Posted: Sat Dec 10, 2011 12:29 pm
by twinedev
As long as you properly quote the strings in your SQL and then use mysql_real_escape_string() will all values in between, then you should be safe.

-Greg

PS, no need to "bump" the thread, it just show impatience especially in such a short period of time. It doesn't make someone reply faster, and for some people will tend to push them off from trying to contribute since they come here for the enjoyment of helping others, not deal with neediness that they probably get from their day jobs doing this.

Re: mysql_real_escape_string() : Works or not?

Posted: Sat Dec 10, 2011 9:18 pm
by Aristona
I create a query like this:

$database->Query('UPDATE X Set A = %s, B = %s', $blablaA, $blablaB);

Query function in my database class splits every %s, then replaces them with for the each parameter with ( ' . mysql_real_escape_string($variable) . ' )
Ex: ' . mysql_real_escape_string($blablaA) . '

When I echo the final query, I see it automatically adds backslashes to inputs, so probably the script is working.

Re: mysql_real_escape_string() : Works or not?

Posted: Sun Dec 11, 2011 2:19 am
by social_experiment
http://php.net/manual/en/function.mysql ... string.php
@OP More information on the subject and have a look at example 1, looks similar to your script.