PHP escaping strings for me.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

PHP escaping strings for me.

Post by JellyFish »

It seems as though when I place variables into a MySQL query string PHP is escaping my string for me and I don't have to use mysql_real_escape_string() on my string variables. This is only for strings though.

Is this normal? Is there some kind of new feature to PHP that does this, or is it MySQL escaping strings? It couldn't be MySQL, because how would MySQL know if what should be escaped and what should not.

It probably would be a good idea to give you an example right about now.

Code: Select all

 
$queryString = "SELECT * FROM t1 WHERE id = $id AND name = '$name'";
mysql_query($queryString);
 
So let's say I have two variables $id and $name. If $name equaled "' OR 1", in attempt to inject my query, for some reason when I print $queryString it shows that $name equaled "\' OR 1". It seems somewhere, something had escaped $name for me.

On the other hand though. If $id equals "' OR 1", the injection is successful. I guess this is because it's not wrapped in single-quotes. Which leads me to believe that the mysql_query() function is the one who's parsing my passed in string and escaping things. But how would mysql_query know what should be escaped anymore then MySQL itself.

I don't see anywhere in php's manual that explains this. :S
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: PHP escaping strings for me.

Post by Benjamin »

User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Re: PHP escaping strings for me.

Post by JellyFish »

Oh I see. It says that magic quotes is the same as addslashes(), but is addslashes() equivalent to mysql_real_escape_string()? Is it safe to rely on it?

[EDIT] I mean to say, is it safe to rely on it for replacing mysql_real_escape_string()?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: PHP escaping strings for me.

Post by Benjamin »

No, use mysql_real_escape_string() and disable magic_quotes.
User avatar
susrisha
Forum Contributor
Posts: 439
Joined: Thu Aug 07, 2008 11:43 pm
Location: Hyderabad India

Re: PHP escaping strings for me.

Post by susrisha »

just a query on the magic_quotes . Why disable magic_quotes and do a mysql_real_escape when you have a default parser getting it done for you? I mean i have tried to install joomla and it says security warning , magic_quotes is enabled. What is so wrong about it? what if i put it on and do the site? I think i failed to understand the essence behind implementing magic_quotes. Can someone explain me?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: PHP escaping strings for me.

Post by Benjamin »

PHP.NET wrote: Why not to use Magic Quotes
  • Portability Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
  • Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data.
  • Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
  • Inconvenience Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().
http://us3.php.net/manual/en/security.m ... whynot.php

I can think of a number of other reasons. It's just not a good idea.
User avatar
susrisha
Forum Contributor
Posts: 439
Joined: Thu Aug 07, 2008 11:43 pm
Location: Hyderabad India

Re: PHP escaping strings for me.

Post by susrisha »

thanks for the information
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP escaping strings for me.

Post by kaisellgren »

addslashes() does no where nearly enough to prevent SQL injections. Relying on it (or magic quotes), is a big security risk.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Re: PHP escaping strings for me.

Post by JellyFish »

So what shall I do? I don't think I have root access to the site, so how could I disable it, if I should. What other kinds of SQL injection could work even with magic quotes off?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP escaping strings for me.

Post by kaisellgren »

JellyFish wrote:So what shall I do? I don't think I have root access to the site, so how could I disable it, if I should. What other kinds of SQL injection could work even with magic quotes off?
A couple of ways to disable it.

1) Use ini_set()
2) Use .htaccess and php_flag
3) Place an php.ini file on the server (might or might not work)
4) In my project, I have this method: (which should be ran only if get_magic_quotes_gpc() returns true)

Code: Select all

 static function take_care_of_magic_quotes()
   {
    function getout(&$arr)
     {
      if (!is_array($arr))
       return;
      foreach ($arr as $key => $val)
       is_array ($arr[$key]) ? getout($arr[$key]) : ($arr[$key] = stripslashes($arr[$key]));
     }
    $gpc = array(&$_GET,&$_POST,&$_COOKIE);
    getout($gpc);
   }
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: PHP escaping strings for me.

Post by Mordred »

Quoting values in SQL queries is - as you've found out - essential.
Details: http://www.webappsec.org/projects/articles/091007.shtml
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Re: PHP escaping strings for me.

Post by JellyFish »

What does mysql_real_escape_string that magic quotes doesn't already do for me? Why should I disable magic quotes and manually escape user input with mysql_real_escape_string?
Last edited by JellyFish on Tue Mar 10, 2009 10:31 am, edited 1 time in total.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: PHP escaping strings for me.

Post by Mordred »

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: PHP escaping strings for me.

Post by kaisellgren »

Plus not always you are passing all data into the database. For instance, saving the data into a file - rarely there is a point to escape a few characters.

Btw, do not forget magic quotes runtime.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Re: PHP escaping strings for me.

Post by JellyFish »

That was fast. Your good, you.

I can't seem to disable magic quotes though. I had a php.ini file on the root directory of my site, and I set the magic_quotes_gpc to 0 and tried Off. But it doesn't appear to be working from what I can see in the results of phpinfo(). It would have been nice to be able to just change ini directives through a php.ini file. But I guess I could try another method.

Using ini_set(), isn't an option according to the php manual. So maybe an .htaccess file will do the trick? But what do I have to put into an .htaccess file?

[EDIT] phpinfo says:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
Post Reply