Page 1 of 1

urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 8:10 am
by wanner
Hi,

I have a textarea, and I want to escape the data before it is stored in the database to prevent mysql injections. First i thought to use mysql_real_escape_string(). However this causes problems in some cases when the data is to be displayed. So my question is if it is safe to use urlencode() to prevent from mysql_injections? It would be great if it is since i can then simply urldecode() before displaying the data.

Thanks!

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 10:40 am
by jackpf
What!?!?!?

No, use mysql_real_escape_string().
However this causes problems in some cases when the data is to be displayed
Care to elaborate?

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 10:55 am
by wanner
i get \n and \r etc for newlines and such. Need to translate them back to be showed properly by the browser

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 11:23 am
by jackpf
Have you got magic quotes turned on? Also, make sure you're not escaping data twice.

That doesn't happen if you escape correctly.

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 11:29 am
by wanner
jackpf wrote:Have you got magic quotes turned on? Also, make sure you're not escaping data twice.

That doesn't happen if you escape correctly.
It seems that magic quotes is indeed turned on. I am not familiar with this. What is the effect? Do i not need to use mysql_real_escape_string to escape my data then?

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 11:39 am
by jackpf
You need to turn it off!!

You can put this in a htaccess file (if you're on apache):

Code: Select all

php_flag magic_quotes_gpc off
Should take care of it.

And yeah, you should then use mysql_real_escape_string().

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 11:41 am
by wanner
Ok, SHOULD i turn it off? Will this have any impact on security on other parts of the code where i might have forgotten to escape my data? (I am using Joomla btw).

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 11:56 am
by jackpf
I don't know about Joomla, I have never used it. But as long as you run mysql_real_escape_string() on all user supplied data being used in queries, you'll be safe from SQL injection.

Magic quotes has been removed from PHP6 anyway, so...even if you wanted to keep it, you won't be able to for long :P

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 12:09 pm
by wanner
Guess ill turn off magic quotes then.
Thanks for your help!

Re: urlencode() to prevent mysql_injections?

Posted: Tue Sep 22, 2009 12:32 pm
by jackpf
Cool. It's the way to go ;)


No problem.

Re: urlencode() to prevent mysql_injections?

Posted: Fri Sep 25, 2009 11:58 am
by kaisellgren
wanner wrote:Ok, SHOULD i turn it off? Will this have any impact on security on other parts of the code where i might have forgotten to escape my data?
Magic Quotes and lack of escaping easily leads to security holes. Magic Quotes were depreciated long time ago, so, no serious application should rely on Magic Quotes anymore.

Re: urlencode() to prevent mysql_injections?

Posted: Fri Sep 25, 2009 12:22 pm
by wanner
Im escaping my data with mysql_real_escape_string. Just had some problems getting it to work with Joomla's store to db method. But im doing it with regular PHP now.

Thanks for your comments and help!