Page 1 of 2
PHP escaping strings for me.
Posted: Mon Mar 09, 2009 8:50 pm
by JellyFish
It seems as though when I place variables into a MySQL query string PHP is escaping my string for me and I don't have to use mysql_real_escape_string() on my string variables. This is only for strings though.
Is this normal? Is there some kind of new feature to PHP that does this, or is it MySQL escaping strings? It couldn't be MySQL, because how would MySQL know if what should be escaped and what should not.
It probably would be a good idea to give you an example right about now.
Code: Select all
$queryString = "SELECT * FROM t1 WHERE id = $id AND name = '$name'";
mysql_query($queryString);
So let's say I have two variables $id and $name. If $name equaled "' OR 1", in attempt to inject my query, for some reason when I print $queryString it shows that $name equaled "\' OR 1". It seems somewhere, something had escaped $name for me.
On the other hand though. If $id equals "' OR 1", the injection is successful. I guess this is because it's not wrapped in single-quotes. Which leads me to believe that the mysql_query() function is the one who's parsing my passed in string and escaping things. But how would mysql_query know what should be escaped anymore then MySQL itself.
I don't see anywhere in php's manual that explains this. :S
Re: PHP escaping strings for me.
Posted: Mon Mar 09, 2009 9:09 pm
by Benjamin
Re: PHP escaping strings for me.
Posted: Mon Mar 09, 2009 11:27 pm
by JellyFish
Oh I see. It says that magic quotes is the same as addslashes(), but is addslashes() equivalent to mysql_real_escape_string()? Is it safe to rely on it?
[EDIT] I mean to say, is it safe to rely on it for replacing mysql_real_escape_string()?
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 12:15 am
by Benjamin
No, use mysql_real_escape_string() and disable magic_quotes.
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 12:28 am
by susrisha
just a query on the magic_quotes . Why disable magic_quotes and do a mysql_real_escape when you have a default parser getting it done for you? I mean i have tried to install joomla and it says security warning , magic_quotes is enabled. What is so wrong about it? what if i put it on and do the site? I think i failed to understand the essence behind implementing magic_quotes. Can someone explain me?
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 12:34 am
by Benjamin
PHP.NET wrote:
Why not to use Magic Quotes
- Portability Assuming it to be on, or off, affects portability. Use get_magic_quotes_gpc() to check for this, and code accordingly.
- Performance Because not every piece of escaped data is inserted into a database, there is a performance loss for escaping all this data.
- Simply calling on the escaping functions (like addslashes()) at runtime is more efficient. Although php.ini-dist enables these directives by default, php.ini-recommended disables it. This recommendation is mainly due to performance reasons.
- Inconvenience Because not all data needs escaping, it's often annoying to see escaped data where it shouldn't be. For example, emailing from a form, and seeing a bunch of \' within the email. To fix, this may require excessive use of stripslashes().
http://us3.php.net/manual/en/security.m ... whynot.php
I can think of a number of other reasons. It's just not a good idea.
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 2:13 am
by susrisha
thanks for the information
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 9:31 am
by kaisellgren
addslashes() does no where nearly enough to prevent SQL injections. Relying on it (or magic quotes), is a big security risk.
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 9:43 am
by JellyFish
So what shall I do? I don't think I have root access to the site, so how could I disable it, if I should. What other kinds of SQL injection could work even with magic quotes off?
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 9:47 am
by kaisellgren
JellyFish wrote:So what shall I do? I don't think I have root access to the site, so how could I disable it, if I should. What other kinds of SQL injection could work even with magic quotes off?
A couple of ways to disable it.
1) Use ini_set()
2) Use .htaccess and php_flag
3) Place an php.ini file on the server (might or might not work)
4) In my project, I have this method: (which should be ran only if get_magic_quotes_gpc() returns true)
Code: Select all
static function take_care_of_magic_quotes()
{
function getout(&$arr)
{
if (!is_array($arr))
return;
foreach ($arr as $key => $val)
is_array ($arr[$key]) ? getout($arr[$key]) : ($arr[$key] = stripslashes($arr[$key]));
}
$gpc = array(&$_GET,&$_POST,&$_COOKIE);
getout($gpc);
}
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 9:52 am
by Mordred
Quoting values in SQL queries is - as you've found out - essential.
Details:
http://www.webappsec.org/projects/articles/091007.shtml
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 10:29 am
by JellyFish
What does mysql_real_escape_string that magic quotes doesn't already do for me? Why should I disable magic quotes and manually escape user input with mysql_real_escape_string?
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 10:30 am
by Mordred
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 10:42 am
by kaisellgren
Plus not always you are passing all data into the database. For instance, saving the data into a file - rarely there is a point to escape a few characters.
Btw, do not forget magic quotes runtime.
Re: PHP escaping strings for me.
Posted: Tue Mar 10, 2009 10:52 am
by JellyFish
That was fast. Your good, you.
I can't seem to disable magic quotes though. I had a php.ini file on the root directory of my site, and I set the magic_quotes_gpc to 0 and tried Off. But it doesn't appear to be working from what I can see in the results of phpinfo(). It would have been nice to be able to just change ini directives through a php.ini file. But I guess I could try another method.
Using ini_set(), isn't an option according to the php manual. So maybe an .htaccess file will do the trick? But what do I have to put into an .htaccess file?
[EDIT] phpinfo says:
magic_quotes_gpc On On
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off