urlencode() to prevent mysql_injections?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
wanner
Forum Newbie
Posts: 6
Joined: Tue Sep 22, 2009 8:09 am

urlencode() to prevent mysql_injections?

Post by wanner »

Hi,

I have a textarea, and I want to escape the data before it is stored in the database to prevent mysql injections. First i thought to use mysql_real_escape_string(). However this causes problems in some cases when the data is to be displayed. So my question is if it is safe to use urlencode() to prevent from mysql_injections? It would be great if it is since i can then simply urldecode() before displaying the data.

Thanks!
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: urlencode() to prevent mysql_injections?

Post by jackpf »

What!?!?!?

No, use mysql_real_escape_string().
However this causes problems in some cases when the data is to be displayed
Care to elaborate?
wanner
Forum Newbie
Posts: 6
Joined: Tue Sep 22, 2009 8:09 am

Re: urlencode() to prevent mysql_injections?

Post by wanner »

i get \n and \r etc for newlines and such. Need to translate them back to be showed properly by the browser
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: urlencode() to prevent mysql_injections?

Post by jackpf »

Have you got magic quotes turned on? Also, make sure you're not escaping data twice.

That doesn't happen if you escape correctly.
wanner
Forum Newbie
Posts: 6
Joined: Tue Sep 22, 2009 8:09 am

Re: urlencode() to prevent mysql_injections?

Post by wanner »

jackpf wrote:Have you got magic quotes turned on? Also, make sure you're not escaping data twice.

That doesn't happen if you escape correctly.
It seems that magic quotes is indeed turned on. I am not familiar with this. What is the effect? Do i not need to use mysql_real_escape_string to escape my data then?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: urlencode() to prevent mysql_injections?

Post by jackpf »

You need to turn it off!!

You can put this in a htaccess file (if you're on apache):

Code: Select all

php_flag magic_quotes_gpc off
Should take care of it.

And yeah, you should then use mysql_real_escape_string().
wanner
Forum Newbie
Posts: 6
Joined: Tue Sep 22, 2009 8:09 am

Re: urlencode() to prevent mysql_injections?

Post by wanner »

Ok, SHOULD i turn it off? Will this have any impact on security on other parts of the code where i might have forgotten to escape my data? (I am using Joomla btw).
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: urlencode() to prevent mysql_injections?

Post by jackpf »

I don't know about Joomla, I have never used it. But as long as you run mysql_real_escape_string() on all user supplied data being used in queries, you'll be safe from SQL injection.

Magic quotes has been removed from PHP6 anyway, so...even if you wanted to keep it, you won't be able to for long :P
wanner
Forum Newbie
Posts: 6
Joined: Tue Sep 22, 2009 8:09 am

Re: urlencode() to prevent mysql_injections?

Post by wanner »

Guess ill turn off magic quotes then.
Thanks for your help!
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: urlencode() to prevent mysql_injections?

Post by jackpf »

Cool. It's the way to go ;)


No problem.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: urlencode() to prevent mysql_injections?

Post by kaisellgren »

wanner wrote:Ok, SHOULD i turn it off? Will this have any impact on security on other parts of the code where i might have forgotten to escape my data?
Magic Quotes and lack of escaping easily leads to security holes. Magic Quotes were depreciated long time ago, so, no serious application should rely on Magic Quotes anymore.
wanner
Forum Newbie
Posts: 6
Joined: Tue Sep 22, 2009 8:09 am

Re: urlencode() to prevent mysql_injections?

Post by wanner »

Im escaping my data with mysql_real_escape_string. Just had some problems getting it to work with Joomla's store to db method. But im doing it with regular PHP now.

Thanks for your comments and help!
Post Reply