Page 1 of 1
:?: Escaping data :?:
Posted: Tue May 12, 2009 11:24 am
by granite
Around the internet I found many pages talking about security. Among them, some told me to escape the data before inserting it into a database. Now, what does "escape data" mean? How and why am I supposed to do this?
Thanks.

Re: :?: Scaping data :?:
Posted: Tue May 12, 2009 11:39 am
by Eran
Among them, some told me to scape the data before inserting it into a database. Now, what does "scape data" mean?
escape data...
http://www.php.net/mysql_real_escape_string
Re: :?: Scaping data :?:
Posted: Tue May 12, 2009 12:25 pm
by granite
Hm... yeah, thanks, but this doesn't tell me much.
Why should I escape data before inserting it into a database?
Re: :?: Escaping data :?:
Posted: Tue May 12, 2009 1:12 pm
by jayshields
So people don't misuse your website. SQL injection is one of the most talked about topics in this area.
Please don't use unnecessary characters in your thread titles to attract attention.
Re: :?: Scaping data :?:
Posted: Tue May 12, 2009 2:30 pm
by Christopher
granite wrote:Hm... yeah, thanks, but this doesn't tell me much.
Why should I escape data before inserting it into a database?
Given the code:
Code: Select all
query("SELECT * FROM bank_account WHERE user='{$_GET['user']}'");
You would get and error if the user's ID has a " in it.
Someone could sent the malicious URL:
bank.com?user=me' OR user='you
or:
bank.com?user=me'; INSERT INTO bank_account balance=10000000 WHERE user='me
Not exact syntax, but hopefully you get the idea.
Re: :?: Scaping data :?:
Posted: Tue May 12, 2009 3:18 pm
by kaisellgren
granite wrote:Why should I escape data before inserting it into a database?
http://en.wikipedia.org/wiki/SQL_injection
Re: :?: Escaping data :?:
Posted: Tue May 12, 2009 6:43 pm
by granite
Hey, thanks for the links. Now this is much more clear for me. One more thing, though: doing something like
Code: Select all
$query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);
will make my login code (in this point, of course) 100% secure? If not, what more should I consider?
PS.: <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span>... I'm gonna have to redo a LOT of things.

Re: :?: Escaping data :?:
Posted: Tue May 12, 2009 6:46 pm
by Christopher
It will protect that query from injection attacks. I will not make your "login code 100% secure."
Re: :?: Escaping data :?:
Posted: Tue May 12, 2009 6:50 pm
by granite
Of course, that's what I meant. Thanks, everybody!
