Page 2 of 2

Posted: Fri Oct 07, 2005 5:54 am
by StumpDK
Okay... Now I understand that mysql_real_escape_string adds extra '\' to these characters: \x00, \n, \r, \, ', " and \x1a if they are in my string/input.
Okay, I'm stupid... Why should I add an extra '\' to these characters?
Example: \n are not a threat for my query, is it?

And question 2:

On my question wheter I'll be secure from SQL Injection attacks feyd answered:
I never said nor implied that. It's not true. It's the opposite.
But how does I make the user input secure then? Is it really enough to add them to a variable and then place two 's (i.e. '$input') around it?

Sorry for my low learning ability in this difficult subject... :)

Posted: Fri Oct 07, 2005 6:02 am
by mickd
check the users input, if its supposed to be alpha numerical only use for example ctype_alnum() etc.

Posted: Fri Oct 07, 2005 8:34 am
by Nathaniel
StumpDK wrote:Okay... Now I understand that mysql_real_escape_string adds extra '\' to these characters: \x00, \n, \r, \, ', " and \x1a if they are in my string/input.
Okay, I'm stupid... Why should I add an extra '\' to these characters?
Example: \n are not a threat for my query, is it?

And question 2:

On my question wheter I'll be secure from SQL Injection attacks feyd answered:
I never said nor implied that. It's not true. It's the opposite.
But how does I make the user input secure then? Is it really enough to add them to a variable and then place two 's (i.e. '$input') around it?

Sorry for my low learning ability in this difficult subject... :)
It's enough if you place single quotes around '$input' IF you run mysql_real_escape_string on $input.

Re: mysql_real_escape_string

Posted: Sat Oct 08, 2005 1:38 am
by McGruff
StumpDK wrote:Well, can I consider my code free of sql injection risks if I use the mysql_real_escape_string-function?
Not quite. You need to do two things:
(a) quote all string variables in an sql statement
(b) escape all string variables in an sql statement

Remember that a hacker can supply a string in an input value which you expect to be an integer (strictly speaking it will be a numeric string but praise the lord for duck typing). That's another issue - your input validation code ought to detect that.

Posted: Sat Oct 08, 2005 2:08 am
by n00b Saibot
I'd say it all boils down to how you are escaping and validating the input - which means any input.

Posted: Sun Oct 09, 2005 9:13 am
by StumpDK
So, if $username and $password is user-submitted in this example, my query would be completely safe?

Code: Select all

function login($username, $password){
		
	$username = mysql_real_escape_string($username);
		
	$password = md5($password);
		
	$query = "SELECT username, password FROM users WHERE username = '$username' AND password = '$password'";
}

Posted: Sun Oct 09, 2005 9:53 pm
by wyred
I would say yes.

Posted: Tue Oct 11, 2005 8:36 am
by Jenk
Nothing is completely secure, but what you have posted there is 'safe'.

Don't forget to check for magic_quotes before escaping, else you will double escape and end up with extra slashes(\) in your fields.

Use this:

Code: Select all

<?php
function sqlClean ($string) {
    if (get_magic_quotes_gpc()) {
        $string = stripslashes($string);
    }
    return mysql_real_escape_string($string);
}
?>