ctype_alnum vs mysql_real_escape_string

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
purple_car_park
Forum Newbie
Posts: 3
Joined: Wed Jan 14, 2009 9:34 am

ctype_alnum vs mysql_real_escape_string

Post by purple_car_park »

Hi all very very new to the forum, just wanted to ask a few questions on protecting against sql injection (or specifically how I've gone about it).

I'm currently looking at making a login form for a training company. I'm by no means an advanced php developer (yet!) but I'm looking to learn every step I take and above all make sure my code is secure before it goes live.

As the title implies, I was wondering what problems lie with using the ctype_alnum over the standard character escaping method for validating data? My usernames are all definitely alphanumeric so can any malicious queries still be made bypassing the ctype_alnum check?

As my usernames are unique, If the username validates as alphanumeric then I simply run a count query and make sure that one result is returned (preventing wildcard results yes?) so only if the username is of valid format and only one result is returned do we start checking any fields in the database. If the result is every greater than 1 then I think I'll have a log set up to record it or a mail notification of some sort.

Is there anything I haven't considered here? Any comments would be greatly appreciated. ooh and I'll happily submit my code example if I haven't explained myself clearly.

If anyone can help, thanks in advance...
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: ctype_alnum vs mysql_real_escape_string

Post by matthijs »

Hi, welcome to the forums.

The thing with ctype_alnum is that it isn't an escape function to prevent sql injection. It is a function to validate alphanumeric strings. To escape strings for use in queries in mysql you need the function mysql_real_escape_string.

An important distinction you have to understand is the one between input validation and escaping of data for use in a database query. I'd suggest to search for some articles on the subject to better understand these different terms, and how and when to use them. Chris Shifflet has a nice short book Essential php security about this, on his website you'll find some articles about this. And of course do a search for input validation and data escaping in these forums.
purple_car_park
Forum Newbie
Posts: 3
Joined: Wed Jan 14, 2009 9:34 am

Re: ctype_alnum vs mysql_real_escape_string

Post by purple_car_park »

top man... thanks for the quick response Matt always appreciated.

Okay I can see there is a difference now between the two, and it in no way makes sense for me not to include the mysql_real_escape_string as it further guarantees a secure login. filter all inputs and escape all outputs I think I read; so I'm definitely taking this on board.

I guess I'd like to know more on how an SQL injection could be performed when the login form only permits alpha numeric input? I don't want to make any assumptions at the moment but I'd just like to get my head around the idea really, give me an idea on how the direction I'll need to go with this project. If you can help great, but feel free to provide me with some search keywords or links... I'll happily do the research myself.

Thanks in advance!
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: ctype_alnum vs mysql_real_escape_string

Post by matthijs »

If you want to read a more in dept article about sql injection I can refer you to:
http://www.webappsec.org/projects/articles/091007.shtml
written by Mordred, also a member of this forum.

In general, you should see input validation/filtering and output escaping as separate layers, used in a "defense in dept" style. So even if using a strict input validation (like ctype_alnum) might prevent sql injection, you should always, as a defense in dept measure, also perform output escaping.
purple_car_park
Forum Newbie
Posts: 3
Joined: Wed Jan 14, 2009 9:34 am

Re: ctype_alnum vs mysql_real_escape_string

Post by purple_car_park »

strength in depth.. I like it cheers for the tip.

The link is awesome too. Quite a reader-friendly so kudos to you for the recommendation and Mordred.

I'm sure I'll be in touch soon with more questions. Man I love PHP!!!
Post Reply