mysql_real_escape_string question

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

mysql_real_escape_string question

Post by Addos »

I’m posting data from a Form in my search page to query my database on another page using:

Code: Select all

$therap = $_POST['me'];
$country = $_POST['you]; 
 
mysql_select_db($*, $**);
$query_rstResults = "SELECT * FROM blah
WHERE users = $country
AND type  = $therap " ;
To avoid a possible SQL attack should I use

Code: Select all

$therap = mysql_real_escape_string($_POST['me']);
$country = mysql_real_escape_string($_POST[‘you']);
Thanks for any advise.
Last edited by Benjamin on Thu Apr 30, 2009 12:20 pm, edited 1 time in total.
Reason: Changed code type to php.
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: mysql_real_escape_string question

Post by mattpointblank »

Yes - any escaping is better than none, obviously. There are ways around mysql_real_escape_string however - it's worth using it in conjunction with other filters too - google SQL Injection Prevention for tips.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: mysql_real_escape_string question

Post by requinix »

mattpointblank wrote:There are ways around mysql_real_escape_string however
You've piqued my curiosity. Any examples of this?
Addos
Forum Contributor
Posts: 305
Joined: Mon Jan 17, 2005 4:13 pm

Re: mysql_real_escape_string question

Post by Addos »

Thanks a mil
:wink:
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: mysql_real_escape_string question

Post by mattpointblank »

tasairis wrote:
mattpointblank wrote:There are ways around mysql_real_escape_string however
You've piqued my curiosity. Any examples of this?
From this page (http://www.webappsec.org/projects/articles/091007.shtml)

Code: Select all

 
$userid = isset($_GET['id']) ? $_GET['id'] : 0;
$userid = mysql_real_escape_string($userid);
RunQuery("SELECT userid, username FROM sql_injection_test 
    WHERE userid=$userid");
---------[ Tests: ]------------------------------
1. id=0
2. id=1
3. id=2
4. id=3
5. id='
6. id=0 or 1
7. id=0 UNION ALL SELECT userid, CONCAT(username, ' ', password) 
    FROM sql_injection_test WHERE 1
8. id=0 UNION ALL SELECT userid, CONCAT(username, CHAR(32), password) 
    FROM sql_injection_test WHERE 1
 
 
Tests 6 and 8 work.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: mysql_real_escape_string question

Post by requinix »

Well yeah. Duh. mysql_real_escape_string is for strings, not numbers.

If you shove "a number" through it and expect to get a number back, you're wrong.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: mysql_real_escape_string question

Post by Christopher »

tasairis wrote:Well yeah. Duh. mysql_real_escape_string is for strings, not numbers.

If you shove "a number" through it and expect to get a number back, you're wrong.
I think you misunderstand mysql_real_escape_string(). It works on strings containing numbers, letters and symbols. What it does is escape any values that would cause problems within quotes in MySQL. It does not in itself work against all injection attacks. You would need to check that unquoted values only contain numbers separately.
(#10850)
mattpointblank
Forum Contributor
Posts: 304
Joined: Tue Dec 23, 2008 6:29 am

Re: mysql_real_escape_string question

Post by mattpointblank »

tasairis wrote:Well yeah. Duh. mysql_real_escape_string is for strings, not numbers.

If you shove "a number" through it and expect to get a number back, you're wrong.
My point was that blindly applying mysql_real_escape_string to anything going into a query isn't going to save you from all injection attacks. A lot of articles and forum discussions just tell people to wrap any user input with it and then everything will be fine - not true, as we've seen.
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: mysql_real_escape_string question

Post by requinix »

arborint wrote:I think you misunderstand mysql_real_escape_string(). It works on strings containing numbers, letters and symbols. What it does is escape any values that would cause problems within quotes in MySQL. It does not in itself work against all injection attacks. You would need to check that unquoted values only contain numbers separately.
Right. I understand it fine - security in applications is my strong point. By "strings" and "numbers" I'm talking about data types in a more abstract sense.

The mentality is that mysql_real_escape_string makes all input safe but it doesn't: it only works for strings. Once you start treating data as numbers you get problems.
If you want to make a number safe then it's easier to use another function, like is_numeric, intval, or ctype_digit. Two different types of data, two separate ways of making them safe.
Post Reply