Page 1 of 1

mysql_real_escape_string noob

Posted: Tue Oct 11, 2005 10:31 am
by imstupid
Hello-
I'm currently reading the forum and manual on mysql_real_escape_string vs addslashes, and have a random question.

i've got a forum with 10 fields or so, and am currently using addslashes to the variables (which I'll figure out if I need to change that to mysql_real_escape_string once I read more and get better at php).

However my question is, after I modify a user's entered data, this one user always runs a problem with double quotes event though the input is displayed as \"Some Text\" on php admin.

The only thing I can think of is maybe this guy types out all his information on some program, and these double quotes are from a different variety, perhaps from another planet. Here's the code

Code: Select all

$name = $_REQUEST['name'] ;

	
  function cleanData() {
   	foreach($_POST as $k => $k)
     $_POST[$k] = stripslashes($k);
   		
	}
	
	if (get_magic_quotes_gpc()) {
   	cleanData();
	}

	$name = addslashes($name) ;

connect stuff...
query stuff...
Can anyone point me in the right direction as to what to read up on? again, the quotes are escaped on other users entries, but not this guy for some reason.

Thanks again.

Posted: Tue Oct 11, 2005 1:07 pm
by Maugrim_The_Reaper
First off - remember that stripslashes will not work if any data passed via POST/GET is an array. A better mgq reverser might be:

Code: Select all

function reverseMQ($var) {
		if (is_array($var)) 
		{
			reset($var);
			while (list($key,$val) = each($var))
			{
				reverseMQ($var[$key]);
			}
		}
		else
		{
			$var = stripslashes($var);
		}
	}
Also you seem to double use the $k variable...try changing

Code: Select all

foreach($_POST as $k => $k)
to

Code: Select all

foreach($_POST as $key => $val)
and use $val as the basis for the stripslashes() function. - see my own version.

Finally - mysql_real_escape_string() is the most effective (if using a mysql connection of course). It escapes some special characters which can be used to enable an SQL injection.

Posted: Wed Oct 12, 2005 11:30 am
by imstupid
ok, I think I'm learnd-ing.

I checked with my server and magic_quotes_gpc is set to On. I modified that code a bit after reading up on mysql_real_escape_string and replaced addslashes with it. I then set up the testing table on a testing database, and tried throwing some sql-injection-type attacks at it and yelled out "what's up now!" as I hit the submit button.

Code: Select all

<?
  $first = $_REQUEST['first'] ;
  $last = $_REQUEST['last'] ;
  $email = $_REQUEST['email'] ;

  $hd = mysql_connect("pudding", "tastes", "gud")
		or die ("Unable to connect");
		
	$first = mysql_real_escape_string($first) ;
	$last = mysql_real_escape_string($last) ;
	$email = mysql_real_escape_string($email) ;

  $result = mysql_select_db ("spoon", $hd)
        or die ("Unable to select database");

mysql_query("INSERT INTO dessertutensils (first, last, email) VALUES('$first', '$last', '$email') ")
		or die(mysql_error());


On the phpMyadmin, this code successfully added slashes to entries like ' or 'a'='a and a slew of other single-quote entries. Can anyone think of anything else I might try to sql-injection protect this code, or should it be some what ok against attacks?

I think I should change my level back to "Forum Newbie"

Posted: Wed Oct 12, 2005 11:46 am
by shiznatix
mysql_real_escape_string wont protect you against everything. its best to use a preg_match pattern and check everything again its own pattern to make sure it is invalid. if it is invalid then throw a error and don't do the query. that is the SAFEST way but not really nessicary if you are just running a small website without any people trying to attack you.