Page 1 of 1

problems with EscapeShellArg()

Posted: Tue Feb 27, 2007 3:21 pm
by giles
Hi,

I’ve run into some problems with EscapeShellArg() – wonder if you can help? I’ve been using it very successfully to place single quotes around inputted text {e.g. EscapeShellArg($answer)} to prevent meliciously keyed data being stored in my database. As said, all has been well, running on my localhost – however things are not so good after uploading it to my domain. I’m now getting MySQL syntax errors trying to write to my databases (e.g.)

Code: Select all

'users answer'' WHERE session_id = '6tidcs36jq4bm3cceu9nnqbi16' at line 3
obviously the noicable fact is the double single quote at the end of the users answer, but I’m foxed as to where this is coming from. I’ve checked the syntax of the $answer parameter feeding the function and it’s fine, so there’s nowhere that can be adding this extra quote.

The one clue, after checking versions is that there is a difference between my localhost ( running php4.3.10 MySQL 3.23.49 … ok, ok, I know it’s old) and my IP (php 5.0.4 MySQL 4.1.20), however I’ve checked EscapeShellArg() in the MySQL manual and there appears to be no reported issues in implementation. SO that’s as far as my newbie brain has gotten me. I’d appreciate any thoughts you might have.

Thanks
Giles

Posted: Tue Feb 27, 2007 3:33 pm
by feyd
Why is EscapeShellArg() being used for a query?

Can you post more code, because there's no way to tell what you're doing wrong so far.

Posted: Wed Feb 28, 2007 3:13 am
by giles
I'm ensapsulating an answer

Code: Select all

$output = EscapeShellArg($input);
before passing to a database

Code: Select all

$result = mysql_query
(
	"UPDATE Ddb
	SET 
		answer = '$answer'
	WHERE session_id = '$session_id' "
)
it's just been pointed out to me that this is very unusual practise (so I'll be contacting the authors of my current corsework). to recap : I've been using it to encapsulate keyed text inside single quotes before entering it into a database, the idea being that even malicious keystrokes will be seen as a string therefore not acted upon by the system. It appears that this is not standard practise ... begs the question ... what is the standard practise to render malicious keystrokes harmless??

Posted: Wed Feb 28, 2007 5:19 am
by volka
EscapeShellArg => for shell command arguments
mysql_real_escape_string => for mysql query arguments.

Code: Select all

$mysql = mysql_connect(...) or die(mysql_error());
mysql_select_db(..., $mysql) or die(mysql_error());
$answer = mysql_real_escape_string($input, $mysql);
$session_id = mysql_real_escape_string($id, $mysql);
$query = "UPDATE
    Ddb
  SET
    answer = '$answer'
  WHERE
    session_id = '$session_id'
  ";
$result = mysql_query($query, $mysql) or die(mysql_error($mysql).': '.$query);