PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Yes - any escaping is better than none, obviously. There are ways around mysql_real_escape_string however - it's worth using it in conjunction with other filters too - google SQL Injection Prevention for tips.
tasairis wrote:Well yeah. Duh. mysql_real_escape_string is for strings, not numbers.
If you shove "a number" through it and expect to get a number back, you're wrong.
I think you misunderstand mysql_real_escape_string(). It works on strings containing numbers, letters and symbols. What it does is escape any values that would cause problems within quotes in MySQL. It does not in itself work against all injection attacks. You would need to check that unquoted values only contain numbers separately.
tasairis wrote:Well yeah. Duh. mysql_real_escape_string is for strings, not numbers.
If you shove "a number" through it and expect to get a number back, you're wrong.
My point was that blindly applying mysql_real_escape_string to anything going into a query isn't going to save you from all injection attacks. A lot of articles and forum discussions just tell people to wrap any user input with it and then everything will be fine - not true, as we've seen.
arborint wrote:I think you misunderstand mysql_real_escape_string(). It works on strings containing numbers, letters and symbols. What it does is escape any values that would cause problems within quotes in MySQL. It does not in itself work against all injection attacks. You would need to check that unquoted values only contain numbers separately.
Right. I understand it fine - security in applications is my strong point. By "strings" and "numbers" I'm talking about data types in a more abstract sense.
The mentality is that mysql_real_escape_string makes all input safe but it doesn't: it only works for strings. Once you start treating data as numbers you get problems.
If you want to make a number safe then it's easier to use another function, like is_numeric, intval, or ctype_digit. Two different types of data, two separate ways of making them safe.