Page 1 of 1
's Foot
Posted: Tue Oct 16, 2007 4:22 pm
by Mightywayne
Sorry, I don't have a better name for the topic. I have no idea what to call the problem.
What's happening is I'm trying to insert the word "Rabbit's Foot" into the database, and it's giving me an SQL error saying it can't insert "s foot" into the DB.
Every option I've tried makes it have a / in the database, which I don't want.
Posted: Tue Oct 16, 2007 4:24 pm
by aaronhall
The apostrophe is prematurely terminating the string literal inside the query. Run user input through mysql_real_escape_string() before placing it into the query.
Posted: Tue Oct 16, 2007 4:26 pm
by Daron
Just a thought, would a \' work? Also, if I understand PHP correctly, if you use a " you can add a ' within it. Seriously, it would help if you posted the code that fails it unless you're directly adding it through a CLI in which case this topic may be in the wrong forum. I could be wrong altogether as I come to PHP from a Python background where quotes do very interesting things.
Posted: Tue Oct 16, 2007 4:40 pm
by superdezign
Daron wrote:Just a thought, would a \' work?
That's what
mysql_real_escape_string() does.
Posted: Tue Oct 16, 2007 4:59 pm
by Mightywayne
I see. I wasn't aware that it magically stripped the slashes from the input. I thought what I saw as output was true. Thanks folks!
Posted: Tue Oct 16, 2007 5:00 pm
by Daron
But a \ is so much quicker
Seriously though, I believe we were writing at the same time, it just took me two minutes longer to hit post.
More seriously, is mysql_real_escape_string() more secure than \ or does it matter?
Posted: Tue Oct 16, 2007 5:05 pm
by superdezign
Daron wrote:More seriously, is mysql_real_escape_string() more secure than \ or does it matter?
It escapes characters, which is what the '\' does, plus some. That's why there's a mysql_real_escape_string() as well as the older, outdated mysql_escape_string(). There's even
addslashes() which only adds '\' on quotation marks and apostrophes.
Posted: Tue Oct 16, 2007 5:07 pm
by Daron
Mightywayne wrote:I see. I wasn't aware that it magically stripped the slashes from the input. I thought what I saw as output was true. Thanks folks!
That's pretty typical with any programming language. You have to escape your literals. Mircrosoft seems to have ruined many into thinking that it was literal when using \. In any language I've ever seen, in order to get a \ to be counted as literal, you need to do a \\. That's just in case you didn't know, otherwise I'm just assuming too much.
superdezign wrote:
Daron wrote:
More seriously, is mysql_real_escape_string() more secure than \ or does it matter?
It escapes characters, which is what the '\' does, plus some. That's why there's a mysql_real_escape_string() as well as the older, outdated mysql_escape_string(). There's even addslashes() which only adds '\' on quotation marks and apostrophes.
Thanks, I'll have to look into those.
Posted: Tue Oct 16, 2007 5:37 pm
by RobertGonzalez
mysql_real_escape_string() is favored over the other functions. It is much more thourough than adding a slash '\" or using
addslashes().
Posted: Tue Oct 16, 2007 6:48 pm
by Daron
Well,
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
that's enough for me to use it. Thanks.
Posted: Wed Oct 17, 2007 5:19 am
by Mordred
Daron wrote:Well,
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
that's enough for me to use it. Thanks.
And here are some examples of the said exceptions:
http://www.webappsec.org/projects/articles/091007.shtml (shameless, yet relevant plug

)