mysql_real_escape_string

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

StumpDK
Forum Commoner
Posts: 35
Joined: Thu Feb 12, 2004 2:28 am
Location: Copenhagen, Denmark

Post by StumpDK »

Okay... Now I understand that mysql_real_escape_string adds extra '\' to these characters: \x00, \n, \r, \, ', " and \x1a if they are in my string/input.
Okay, I'm stupid... Why should I add an extra '\' to these characters?
Example: \n are not a threat for my query, is it?

And question 2:

On my question wheter I'll be secure from SQL Injection attacks feyd answered:
I never said nor implied that. It's not true. It's the opposite.
But how does I make the user input secure then? Is it really enough to add them to a variable and then place two 's (i.e. '$input') around it?

Sorry for my low learning ability in this difficult subject... :)
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

check the users input, if its supposed to be alpha numerical only use for example ctype_alnum() etc.
User avatar
Nathaniel
Forum Contributor
Posts: 396
Joined: Wed Aug 31, 2005 5:58 pm
Location: Arkansas, USA

Post by Nathaniel »

StumpDK wrote:Okay... Now I understand that mysql_real_escape_string adds extra '\' to these characters: \x00, \n, \r, \, ', " and \x1a if they are in my string/input.
Okay, I'm stupid... Why should I add an extra '\' to these characters?
Example: \n are not a threat for my query, is it?

And question 2:

On my question wheter I'll be secure from SQL Injection attacks feyd answered:
I never said nor implied that. It's not true. It's the opposite.
But how does I make the user input secure then? Is it really enough to add them to a variable and then place two 's (i.e. '$input') around it?

Sorry for my low learning ability in this difficult subject... :)
It's enough if you place single quotes around '$input' IF you run mysql_real_escape_string on $input.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Re: mysql_real_escape_string

Post by McGruff »

StumpDK wrote:Well, can I consider my code free of sql injection risks if I use the mysql_real_escape_string-function?
Not quite. You need to do two things:
(a) quote all string variables in an sql statement
(b) escape all string variables in an sql statement

Remember that a hacker can supply a string in an input value which you expect to be an integer (strictly speaking it will be a numeric string but praise the lord for duck typing). That's another issue - your input validation code ought to detect that.
User avatar
n00b Saibot
DevNet Resident
Posts: 1452
Joined: Fri Dec 24, 2004 2:59 am
Location: Lucknow, UP, India
Contact:

Post by n00b Saibot »

I'd say it all boils down to how you are escaping and validating the input - which means any input.
StumpDK
Forum Commoner
Posts: 35
Joined: Thu Feb 12, 2004 2:28 am
Location: Copenhagen, Denmark

Post by StumpDK »

So, if $username and $password is user-submitted in this example, my query would be completely safe?

Code: Select all

function login($username, $password){
		
	$username = mysql_real_escape_string($username);
		
	$password = md5($password);
		
	$query = "SELECT username, password FROM users WHERE username = '$username' AND password = '$password'";
}
wyred
Forum Commoner
Posts: 86
Joined: Mon Dec 20, 2004 1:59 am
Location: Singapore

Post by wyred »

I would say yes.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

Nothing is completely secure, but what you have posted there is 'safe'.

Don't forget to check for magic_quotes before escaping, else you will double escape and end up with extra slashes(\) in your fields.

Use this:

Code: Select all

<?php
function sqlClean ($string) {
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    return mysql_real_escape_string($string);
}
?>
Post Reply