Page 2 of 2
Posted: Fri Oct 07, 2005 5:54 am
by StumpDK
Okay... Now I understand that mysql_real_escape_string
adds extra '\' to these characters: \x00, \n, \r, \, ', " and \x1a if they are in my string/input.
Okay, I'm stupid... Why should I add an extra '\' to these characters?
Example: \n are not a threat for my query, is it?
And question 2:
On my question wheter I'll be secure from SQL Injection attacks feyd answered:
I never said nor implied that. It's not true. It's the opposite.
But how does I make the user input secure then? Is it really enough to add them to a variable and then place two 's (i.e. '$input') around it?
Sorry for my low learning ability in this difficult subject...

Posted: Fri Oct 07, 2005 6:02 am
by mickd
check the users input, if its supposed to be alpha numerical only use for example ctype_alnum() etc.
Posted: Fri Oct 07, 2005 8:34 am
by Nathaniel
StumpDK wrote:Okay... Now I understand that mysql_real_escape_string
adds extra '\' to these characters: \x00, \n, \r, \, ', " and \x1a if they are in my string/input.
Okay, I'm stupid... Why should I add an extra '\' to these characters?
Example: \n are not a threat for my query, is it?
And question 2:
On my question wheter I'll be secure from SQL Injection attacks feyd answered:
I never said nor implied that. It's not true. It's the opposite.
But how does I make the user input secure then? Is it really enough to add them to a variable and then place two 's (i.e. '$input') around it?
Sorry for my low learning ability in this difficult subject...

It's enough if you place single quotes around '$input' IF you run mysql_real_escape_string on $input.
Re: mysql_real_escape_string
Posted: Sat Oct 08, 2005 1:38 am
by McGruff
StumpDK wrote:Well, can I consider my code free of sql injection risks if I use the mysql_real_escape_string-function?
Not quite. You need to do two things:
(a) quote all string variables in an sql statement
(b) escape all string variables in an sql statement
Remember that a hacker can supply a string in an input value which you expect to be an integer (strictly speaking it will be a numeric string but praise the lord for duck typing). That's another issue - your input validation code ought to detect that.
Posted: Sat Oct 08, 2005 2:08 am
by n00b Saibot
I'd say it all boils down to how you are escaping and validating the input - which means any input.
Posted: Sun Oct 09, 2005 9:13 am
by StumpDK
So, if $username and $password is user-submitted in this example, my query would be completely safe?
Code: Select all
function login($username, $password){
$username = mysql_real_escape_string($username);
$password = md5($password);
$query = "SELECT username, password FROM users WHERE username = '$username' AND password = '$password'";
}
Posted: Sun Oct 09, 2005 9:53 pm
by wyred
I would say yes.
Posted: Tue Oct 11, 2005 8:36 am
by Jenk
Nothing is completely secure, but what you have posted there is 'safe'.
Don't forget to check for magic_quotes before escaping, else you will double escape and end up with extra slashes(\) in your fields.
Use this:
Code: Select all
<?php
function sqlClean ($string) {
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return mysql_real_escape_string($string);
}
?>