found this security code, tell me what it prevents?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Markto
Forum Newbie
Posts: 22
Joined: Thu Nov 17, 2011 1:13 pm

found this security code, tell me what it prevents?

Post by Markto »

Can someone elaborate what this code prevents?
it is suggested to do this on any input that is used in a mysql query.

Code: Select all

function safe($string) {
  return "'" . mysqli_real_escape_string($string) . "'"
}
My trouble is that I do not understand why the ' (single quote) is being concatenated before and after the mysqli-escaped-string. (The "'" is a " ' " in case you cannot see it.) Is anything added by these single quotes that is not covered by mysqli_real_escape_string?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: found this security code, tell me what it prevents?

Post by Celauran »

No idea why the single quotes are being added, but the function will fail anyways since mysqli_real_escape_string requires two arguments.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: found this security code, tell me what it prevents?

Post by califdon »

Generally the risk is that if you allow unescaped strings received from an unknown user to be processed by the MySQL engine, a hacker can insert characters in their input string that can be interpreted by MySQL to do destructive things like deleting your entire database and such. This is known as "SQL injection" and you can read about it at http://msdn.microsoft.com/en-us/library/ms161953.aspx and many other places.
Markto
Forum Newbie
Posts: 22
Joined: Thu Nov 17, 2011 1:13 pm

Re: found this security code, tell me what it prevents?

Post by Markto »

Thanks. I am aware of SQL injections (reading about them brought me to this code), but I do not know what specific injection attempts are being address by putting single quotes around a string that has *already* been escaped by mysqli_real_escape_string.

Sorry I didn't put the database connection argument in mysqli_real_escape_string. My fault.

Code: Select all

function safe($string) {
  return "'" . mysqli_real_escape_string($link, $string) . "'"
}
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: found this security code, tell me what it prevents?

Post by califdon »

I can only guess that that function was intended to be used by some code that expected a string that began and ended with single quotes. That doesn't sound like a good coding practice to me, so I'd consider it likely just a mistake.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: found this security code, tell me what it prevents?

Post by Mordred »

The reasoning the author of this snippet put in it is sound - if you don't have quotes around values in your SQL queries, mysql_real_escape_string will not be sufficient to prevent SQL injections. You can read about this in the article from my sig (read the plain txt version though, the html one is broken).

I don't like his solution to the problem though: I like to put the quotes in the query. If you're careful on how you use this function is should be equivalent, but in writing secure code clarity is very valuable, so having two equivalent solutions one should choose the more readable one.
Post Reply