tags:

views:

117

answers:

3
Q: 

Use of parameters for mysql_query

somewhere while studying I juz found out something interesting.. It says something as follows:

$query = sprintf("SELECT firstname, lastname, address, age FROM friends 
WHERE firstname='%s' AND lastname='%s'",mysql_real_escape_string($firstname),
    mysql_real_escape_string($lastname));

using the query like this instead of

$query="select firstname, lastname, address, age FROM friends
WHERE firstname='".$_RETURN['name1']."', lastname='".$_RETURN['name2']."'";

does this seem reasonable.. have u tried this coding ever.. and how it helps prevent any malicious attacks..

+1  A: 

As far as I'm aware, mysql_real_escape_string is one of the better ways to prevent SQL injection, short of using prepared statements with mysqli or PDO.

Ian Oxley  2009-11-30 12:04:00
Prepared statements are the best way in my opinion, because they don't mix data and SQL.
Peter Stuifzand  2009-11-30 12:56:18
+3  A: 

Example:

Query:

SELECT temp1 FROM temp WHERE temp2 = 'VAR1'

Now we'll assign VAR1 the value of: '; DROP TABLE *; -- And we'll get:

SELECT temp1 FROM temp WHERE temp2 = ''; DROP TABLE *; --'

With mysql_real_escape_string it would look like this:

SELECT temp1 FROM temp WHERE temp2 = '\'; DROP TABLE *; --'

mysql_real_escape_string 'secures' a string for useage within a query.

Bobby  2009-11-30 12:04:27
That's my little bobby tables... +1
cballou  2009-11-30 12:05:37
@cballou: *roflmao* :D
Bobby  2009-11-30 13:13:20
A: 

Using formatting functions like sprintf is purely a matter of taste; the big advantage in the first example is that the function mysql_real_escape_string prevents all SQL injections (explained in one of the other answers); unlike the somewhat iffy magic_quotes_gpc feature in PHP, which many people rely on instead.

magic_quotes_gpc automatically escapes things you receive in requests from clients... but it cannot detect so-called second-level injections:

  1. You get a malicious query from a client and store its contents in the database. magic_quotes_gpc prevents SQL injection; the malicious string gets stored correctly.
  2. Later on, you fetch this string from the database and include it in another query. Now the string didn't come out of a request, so magic_quotes_gpc doesn't escape the string. Voilà, SQL injection; your data is now probably gone.

Using some means of escaping yourself, either something like mysql_real_escape_string or a database abstraction layer with a query builder (e.g. Adodb), is definitely superior to just hoping for the best.

Jan Krüger  2009-11-30 12:06:28
so jan do u mean that i can use any of the two 'mysql_real_escape_string' or 'magic_quotes_gpc'.. both of them are going to help me avoid injection ????
Sachindra  2009-11-30 12:10:34
Never, ever, uses magic quotes. Code that relies on magic quotes is broken by default.
Peter Stuifzand  2009-11-30 12:57:05

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL