problems with EscapeShellArg()

Questions about the MySQL, PostgreSQL, and most other databases, as well as using it with PHP can be asked here.

Moderator: General Moderators

Post Reply
giles
Forum Commoner
Posts: 34
Joined: Thu Sep 14, 2006 2:34 pm

problems with EscapeShellArg()

Post by giles »

Hi,

I’ve run into some problems with EscapeShellArg() – wonder if you can help? I’ve been using it very successfully to place single quotes around inputted text {e.g. EscapeShellArg($answer)} to prevent meliciously keyed data being stored in my database. As said, all has been well, running on my localhost – however things are not so good after uploading it to my domain. I’m now getting MySQL syntax errors trying to write to my databases (e.g.)

Code: Select all

'users answer'' WHERE session_id = '6tidcs36jq4bm3cceu9nnqbi16' at line 3
obviously the noicable fact is the double single quote at the end of the users answer, but I’m foxed as to where this is coming from. I’ve checked the syntax of the $answer parameter feeding the function and it’s fine, so there’s nowhere that can be adding this extra quote.

The one clue, after checking versions is that there is a difference between my localhost ( running php4.3.10 MySQL 3.23.49 … ok, ok, I know it’s old) and my IP (php 5.0.4 MySQL 4.1.20), however I’ve checked EscapeShellArg() in the MySQL manual and there appears to be no reported issues in implementation. SO that’s as far as my newbie brain has gotten me. I’d appreciate any thoughts you might have.

Thanks
Giles
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Why is EscapeShellArg() being used for a query?

Can you post more code, because there's no way to tell what you're doing wrong so far.
giles
Forum Commoner
Posts: 34
Joined: Thu Sep 14, 2006 2:34 pm

Post by giles »

I'm ensapsulating an answer

Code: Select all

$output = EscapeShellArg($input);
before passing to a database

Code: Select all

$result = mysql_query
(
	"UPDATE Ddb
	SET 
		answer = '$answer'
	WHERE session_id = '$session_id' "
)
it's just been pointed out to me that this is very unusual practise (so I'll be contacting the authors of my current corsework). to recap : I've been using it to encapsulate keyed text inside single quotes before entering it into a database, the idea being that even malicious keystrokes will be seen as a string therefore not acted upon by the system. It appears that this is not standard practise ... begs the question ... what is the standard practise to render malicious keystrokes harmless??
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

EscapeShellArg => for shell command arguments
mysql_real_escape_string => for mysql query arguments.

Code: Select all

$mysql = mysql_connect(...) or die(mysql_error());
mysql_select_db(..., $mysql) or die(mysql_error());
$answer = mysql_real_escape_string($input, $mysql);
$session_id = mysql_real_escape_string($id, $mysql);
$query = "UPDATE
    Ddb
  SET
    answer = '$answer'
  WHERE
    session_id = '$session_id'
  ";
$result = mysql_query($query, $mysql) or die(mysql_error($mysql).': '.$query);
Post Reply