Regex vs. mysql_real_escape_string

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Jixxor
Forum Commoner
Posts: 46
Joined: Wed Jun 07, 2006 5:53 pm
Location: Lakeland, FL

Regex vs. mysql_real_escape_string

Post by Jixxor »

Knowing that regex would most likely be the best solution in the sense of preventing SQL injection attacks and other forms of attacks, would mysql_real_escape_string() do the same thing?

I've noticed when researching the topics of SQL injection and security over user input that the two seem to be commonly used to filter the input before it is inserted.
Ree
Forum Regular
Posts: 592
Joined: Fri Jun 10, 2005 1:43 am
Location: LT

Post by Ree »

I think it's always best to use the functionality provided by the specific db that is used. You have mysql_real_escape_string() readily available, why not use it?
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

regex is useful for filtering input: checking it is of the expected type/format/value.

mysql_real_escape_string (and the related escape functions for other DB libs) ESCAPE data. For example, you may filter usernames, and allow quotes, in for example, O'Connor. However MySQL needs to escape apostrophes, and so mysql_real_escape_string would an extra step prior to using the value in an SQL query.

Typically escaping would not alter the originally filtered data - unless you want to output O''Connor or O\'Connor to users...

Filtering and Escaping are two different things.
Jixxor
Forum Commoner
Posts: 46
Joined: Wed Jun 07, 2006 5:53 pm
Location: Lakeland, FL

Post by Jixxor »

Great, thanks for the clarification.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

No problem, if you need any other information just shout ;).
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

There is also a lot of useful information in the Security Resources thread.
Post Reply