mysql_real_escape_string noob

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
imstupid
Forum Commoner
Posts: 84
Joined: Fri Feb 18, 2005 1:24 pm

mysql_real_escape_string noob

Post by imstupid »

Hello-
I'm currently reading the forum and manual on mysql_real_escape_string vs addslashes, and have a random question.

i've got a forum with 10 fields or so, and am currently using addslashes to the variables (which I'll figure out if I need to change that to mysql_real_escape_string once I read more and get better at php).

However my question is, after I modify a user's entered data, this one user always runs a problem with double quotes event though the input is displayed as \"Some Text\" on php admin.

The only thing I can think of is maybe this guy types out all his information on some program, and these double quotes are from a different variety, perhaps from another planet. Here's the code

Code: Select all

$name = $_REQUEST['name'] ;

	
  function cleanData() {
   	foreach($_POST as $k => $k)
     $_POST[$k] = stripslashes($k);
   		
	}
	
	if (get_magic_quotes_gpc()) {
   	cleanData();
	}

	$name = addslashes($name) ;

connect stuff...
query stuff...
Can anyone point me in the right direction as to what to read up on? again, the quotes are escaped on other users entries, but not this guy for some reason.

Thanks again.
Last edited by imstupid on Wed Oct 12, 2005 11:30 am, edited 1 time in total.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

First off - remember that stripslashes will not work if any data passed via POST/GET is an array. A better mgq reverser might be:

Code: Select all

function reverseMQ($var) {
		if (is_array($var)) 
		{
			reset($var);
			while (list($key,$val) = each($var))
			{
				reverseMQ($var[$key]);
			}
		}
		else
		{
			$var = stripslashes($var);
		}
	}
Also you seem to double use the $k variable...try changing

Code: Select all

foreach($_POST as $k => $k)
to

Code: Select all

foreach($_POST as $key => $val)
and use $val as the basis for the stripslashes() function. - see my own version.

Finally - mysql_real_escape_string() is the most effective (if using a mysql connection of course). It escapes some special characters which can be used to enable an SQL injection.
imstupid
Forum Commoner
Posts: 84
Joined: Fri Feb 18, 2005 1:24 pm

Post by imstupid »

ok, I think I'm learnd-ing.

I checked with my server and magic_quotes_gpc is set to On. I modified that code a bit after reading up on mysql_real_escape_string and replaced addslashes with it. I then set up the testing table on a testing database, and tried throwing some sql-injection-type attacks at it and yelled out "what's up now!" as I hit the submit button.

Code: Select all

<?
  $first = $_REQUEST['first'] ;
  $last = $_REQUEST['last'] ;
  $email = $_REQUEST['email'] ;

  $hd = mysql_connect("pudding", "tastes", "gud")
		or die ("Unable to connect");
		
	$first = mysql_real_escape_string($first) ;
	$last = mysql_real_escape_string($last) ;
	$email = mysql_real_escape_string($email) ;

  $result = mysql_select_db ("spoon", $hd)
        or die ("Unable to select database");

mysql_query("INSERT INTO dessertutensils (first, last, email) VALUES('$first', '$last', '$email') ")
		or die(mysql_error());


On the phpMyadmin, this code successfully added slashes to entries like ' or 'a'='a and a slew of other single-quote entries. Can anyone think of anything else I might try to sql-injection protect this code, or should it be some what ok against attacks?

I think I should change my level back to "Forum Newbie"
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

mysql_real_escape_string wont protect you against everything. its best to use a preg_match pattern and check everything again its own pattern to make sure it is invalid. if it is invalid then throw a error and don't do the query. that is the SAFEST way but not really nessicary if you are just running a small website without any people trying to attack you.
Post Reply