urlencode() to prevent mysql_injections?
Moderator: General Moderators
urlencode() to prevent mysql_injections?
Hi,
I have a textarea, and I want to escape the data before it is stored in the database to prevent mysql injections. First i thought to use mysql_real_escape_string(). However this causes problems in some cases when the data is to be displayed. So my question is if it is safe to use urlencode() to prevent from mysql_injections? It would be great if it is since i can then simply urldecode() before displaying the data.
Thanks!
I have a textarea, and I want to escape the data before it is stored in the database to prevent mysql injections. First i thought to use mysql_real_escape_string(). However this causes problems in some cases when the data is to be displayed. So my question is if it is safe to use urlencode() to prevent from mysql_injections? It would be great if it is since i can then simply urldecode() before displaying the data.
Thanks!
Re: urlencode() to prevent mysql_injections?
What!?!?!?
No, use mysql_real_escape_string().
No, use mysql_real_escape_string().
Care to elaborate?However this causes problems in some cases when the data is to be displayed
Re: urlencode() to prevent mysql_injections?
i get \n and \r etc for newlines and such. Need to translate them back to be showed properly by the browser
Re: urlencode() to prevent mysql_injections?
Have you got magic quotes turned on? Also, make sure you're not escaping data twice.
That doesn't happen if you escape correctly.
That doesn't happen if you escape correctly.
Re: urlencode() to prevent mysql_injections?
It seems that magic quotes is indeed turned on. I am not familiar with this. What is the effect? Do i not need to use mysql_real_escape_string to escape my data then?jackpf wrote:Have you got magic quotes turned on? Also, make sure you're not escaping data twice.
That doesn't happen if you escape correctly.
Re: urlencode() to prevent mysql_injections?
You need to turn it off!!
You can put this in a htaccess file (if you're on apache):
Should take care of it.
And yeah, you should then use mysql_real_escape_string().
You can put this in a htaccess file (if you're on apache):
Code: Select all
php_flag magic_quotes_gpc offAnd yeah, you should then use mysql_real_escape_string().
Re: urlencode() to prevent mysql_injections?
Ok, SHOULD i turn it off? Will this have any impact on security on other parts of the code where i might have forgotten to escape my data? (I am using Joomla btw).
Re: urlencode() to prevent mysql_injections?
I don't know about Joomla, I have never used it. But as long as you run mysql_real_escape_string() on all user supplied data being used in queries, you'll be safe from SQL injection.
Magic quotes has been removed from PHP6 anyway, so...even if you wanted to keep it, you won't be able to for long
Magic quotes has been removed from PHP6 anyway, so...even if you wanted to keep it, you won't be able to for long
Re: urlencode() to prevent mysql_injections?
Guess ill turn off magic quotes then.
Thanks for your help!
Thanks for your help!
Re: urlencode() to prevent mysql_injections?
Cool. It's the way to go 
No problem.
No problem.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: urlencode() to prevent mysql_injections?
Magic Quotes and lack of escaping easily leads to security holes. Magic Quotes were depreciated long time ago, so, no serious application should rely on Magic Quotes anymore.wanner wrote:Ok, SHOULD i turn it off? Will this have any impact on security on other parts of the code where i might have forgotten to escape my data?
Re: urlencode() to prevent mysql_injections?
Im escaping my data with mysql_real_escape_string. Just had some problems getting it to work with Joomla's store to db method. But im doing it with regular PHP now.
Thanks for your comments and help!
Thanks for your comments and help!