PHP Developers Network
http://forums.devnetwork.net/

found this security code, tell me what it prevents?
http://forums.devnetwork.net/viewtopic.php?f=34&t=133099
Page 1 of 1

Author:  Markto [ Sat Nov 26, 2011 5:01 pm ]
Post subject:  found this security code, tell me what it prevents?

Can someone elaborate what this code prevents?
it is suggested to do this on any input that is used in a mysql query.

Syntax: [ Download ] [ Hide ]
function safe($string) {
  return "'" . mysqli_real_escape_string($string) . "'"
}


My trouble is that I do not understand why the ' (single quote) is being concatenated before and after the mysqli-escaped-string. (The "'" is a " ' " in case you cannot see it.) Is anything added by these single quotes that is not covered by mysqli_real_escape_string?

Author:  Celauran [ Sat Nov 26, 2011 7:44 pm ]
Post subject:  Re: found this security code, tell me what it prevents?

No idea why the single quotes are being added, but the function will fail anyways since requires two arguments.

Author:  califdon [ Sat Nov 26, 2011 9:42 pm ]
Post subject:  Re: found this security code, tell me what it prevents?

Generally the risk is that if you allow unescaped strings received from an unknown user to be processed by the MySQL engine, a hacker can insert characters in their input string that can be interpreted by MySQL to do destructive things like deleting your entire database and such. This is known as "SQL injection" and you can read about it at and many other places.

Author:  Markto [ Sat Nov 26, 2011 10:12 pm ]
Post subject:  Re: found this security code, tell me what it prevents?

Thanks. I am aware of SQL injections (reading about them brought me to this code), but I do not know what specific injection attempts are being address by putting single quotes around a string that has *already* been escaped by mysqli_real_escape_string.

Sorry I didn't put the database connection argument in mysqli_real_escape_string. My fault.

Syntax: [ Download ] [ Hide ]
function safe($string) {
  return "'" . mysqli_real_escape_string($link, $string) . "'"
}

Author:  califdon [ Sat Nov 26, 2011 10:17 pm ]
Post subject:  Re: found this security code, tell me what it prevents?

I can only guess that that function was intended to be used by some code that expected a string that began and ended with single quotes. That doesn't sound like a good coding practice to me, so I'd consider it likely just a mistake.

Author:  Mordred [ Mon Nov 28, 2011 7:05 am ]
Post subject:  Re: found this security code, tell me what it prevents?

The reasoning the author of this snippet put in it is sound - if you don't have quotes around values in your SQL queries, mysql_real_escape_string will not be sufficient to prevent SQL injections. You can read about this in the article from my sig (read the plain txt version though, the html one is broken).

I don't like his solution to the problem though: I like to put the quotes in the query. If you're careful on how you use this function is should be equivalent, but in writing secure code clarity is very valuable, so having two equivalent solutions one should choose the more readable one.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/