:?: Escaping data :?:

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
granite
Forum Commoner
Posts: 44
Joined: Mon Feb 09, 2009 10:52 am

:?: Escaping data :?:

Post by granite »

Around the internet I found many pages talking about security. Among them, some told me to escape the data before inserting it into a database. Now, what does "escape data" mean? How and why am I supposed to do this?

Thanks. :)
Last edited by granite on Tue May 12, 2009 12:43 pm, edited 1 time in total.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: :?: Scaping data :?:

Post by Eran »

Among them, some told me to scape the data before inserting it into a database. Now, what does "scape data" mean?
escape data...
http://www.php.net/mysql_real_escape_string
Last edited by Eran on Tue May 12, 2009 3:36 pm, edited 1 time in total.
granite
Forum Commoner
Posts: 44
Joined: Mon Feb 09, 2009 10:52 am

Re: :?: Scaping data :?:

Post by granite »

Hm... yeah, thanks, but this doesn't tell me much.
Why should I escape data before inserting it into a database?
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Re: :?: Escaping data :?:

Post by jayshields »

So people don't misuse your website. SQL injection is one of the most talked about topics in this area.

Please don't use unnecessary characters in your thread titles to attract attention.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: :?: Scaping data :?:

Post by Christopher »

granite wrote:Hm... yeah, thanks, but this doesn't tell me much.
Why should I escape data before inserting it into a database?
Given the code:

Code: Select all

query("SELECT * FROM bank_account WHERE user='{$_GET['user']}'");
You would get and error if the user's ID has a " in it.

Someone could sent the malicious URL:

bank.com?user=me' OR user='you
or:
bank.com?user=me'; INSERT INTO bank_account balance=10000000 WHERE user='me

Not exact syntax, but hopefully you get the idea.
(#10850)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: :?: Scaping data :?:

Post by kaisellgren »

granite wrote:Why should I escape data before inserting it into a database?
http://en.wikipedia.org/wiki/SQL_injection
granite
Forum Commoner
Posts: 44
Joined: Mon Feb 09, 2009 10:52 am

Re: :?: Escaping data :?:

Post by granite »

Hey, thanks for the links. Now this is much more clear for me. One more thing, though: doing something like

Code: Select all

$query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'", 
                  mysql_real_escape_string($Username), 
                  mysql_real_escape_string($Password));
mysql_query($query);
will make my login code (in this point, of course) 100% secure? If not, what more should I consider?

PS.: <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>... I'm gonna have to redo a LOT of things. :banghead:
Last edited by granite on Tue May 12, 2009 6:48 pm, edited 2 times in total.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: :?: Escaping data :?:

Post by Christopher »

It will protect that query from injection attacks. I will not make your "login code 100% secure."
(#10850)
granite
Forum Commoner
Posts: 44
Joined: Mon Feb 09, 2009 10:52 am

Re: :?: Escaping data :?:

Post by granite »

Of course, that's what I meant. Thanks, everybody! :D
Post Reply