PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Jul 11, 2020 5:41 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Sat Nov 26, 2011 5:01 pm 
Offline
Forum Newbie

Joined: Thu Nov 17, 2011 2:13 pm
Posts: 22
Can someone elaborate what this code prevents?
it is suggested to do this on any input that is used in a mysql query.

Syntax: [ Download ] [ Hide ]
function safe($string) {
  return "'" . mysqli_real_escape_string($string) . "'"
}


My trouble is that I do not understand why the ' (single quote) is being concatenated before and after the mysqli-escaped-string. (The "'" is a " ' " in case you cannot see it.) Is anything added by these single quotes that is not covered by mysqli_real_escape_string?


Top
 Profile  
 
PostPosted: Sat Nov 26, 2011 7:44 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
No idea why the single quotes are being added, but the function will fail anyways since requires two arguments.

_________________


Top
 Profile  
 
PostPosted: Sat Nov 26, 2011 9:42 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
Generally the risk is that if you allow unescaped strings received from an unknown user to be processed by the MySQL engine, a hacker can insert characters in their input string that can be interpreted by MySQL to do destructive things like deleting your entire database and such. This is known as "SQL injection" and you can read about it at and many other places.


Top
 Profile  
 
PostPosted: Sat Nov 26, 2011 10:12 pm 
Offline
Forum Newbie

Joined: Thu Nov 17, 2011 2:13 pm
Posts: 22
Thanks. I am aware of SQL injections (reading about them brought me to this code), but I do not know what specific injection attempts are being address by putting single quotes around a string that has *already* been escaped by mysqli_real_escape_string.

Sorry I didn't put the database connection argument in mysqli_real_escape_string. My fault.

Syntax: [ Download ] [ Hide ]
function safe($string) {
  return "'" . mysqli_real_escape_string($link, $string) . "'"
}


Top
 Profile  
 
PostPosted: Sat Nov 26, 2011 10:17 pm 
Offline
Jack of Zircons
User avatar

Joined: Thu Nov 09, 2006 9:30 pm
Posts: 4484
Location: California, USA
I can only guess that that function was intended to be used by some code that expected a string that began and ended with single quotes. That doesn't sound like a good coding practice to me, so I'd consider it likely just a mistake.


Top
 Profile  
 
PostPosted: Mon Nov 28, 2011 7:05 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
The reasoning the author of this snippet put in it is sound - if you don't have quotes around values in your SQL queries, mysql_real_escape_string will not be sufficient to prevent SQL injections. You can read about this in the article from my sig (read the plain txt version though, the html one is broken).

I don't like his solution to the problem though: I like to put the quotes in the query. If you're careful on how you use this function is should be equivalent, but in writing secure code clarity is very valuable, so having two equivalent solutions one should choose the more readable one.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group