views:

187

answers:

4

Hi,

Should I use the mysql_real_escape_string() function in my MySQL queries for $_SESSION variables? Theoretically, the $_SESSION variables can't be modified by the end-user unlike $_GET or $_POST variables right?

Thanks :)

+4  A: 

Regardless of whether the user can modify the data, you probably want to escape it anyway in case you ever need the data to contain characters that would break the SQL (quotes, etc).

Better yet, use bound parameters and you won't have to worry about it.

Andrew Medico
Thanks Andrew. Can I ask what "Bound parameters" are?
Lyon
It is a means of declaring placeholders in your SQL and then sending the data values to the server "out of band" such that they cannot possibly be interpreted as SQL, eliminating the possibility of SQL injection. See, for example: http://usphp.com/manual/en/function.mysqli-stmt-bind-param.php
Andrew Medico
Hmm..I see. After your heads up, I started reading up about bind params and its support in mysqli. I am currently using ext/mysql and I believe that does not support binding parameters. Thank you so much. I'll have to take my queries about migrating from mysql to mysqli on another thread (such as using mysqli without prepared statements).
Lyon
As per my answer elsewhere pre-emptively escaping your data is a very bad idea - this pre-supposes that you know where the data is going and therefore which function to use to change the representation - addslashes, htmletntities, mysql_real_escape_string, urlencode.... do NOT all do the same thing.
symcbean
+1  A: 

Do not escape/quote/encode text until you're at the point where you need it. Internal representations should be as "raw" as possible.

Ignacio Vazquez-Abrams
+1, exactly what I was thinking.
Inshallah
+1  A: 

You can answer the question yourself by following this line of reasoning:

Did the value in $_SESSION originate from user input?

If so, has it been sanitized already?

Silvio Donnini
Yes it has. That's why I was wondering if it should be escaped again before using it in a sql statement.
Lyon
Then I wouldn't escape it again, it would be better to insert it in the db with as little processing as possible
Silvio Donnini
My take on it: if you generate your SQL dynamically, by concatenating data into it, sanitizing and concatenation should be done in the same place. It should be obvious that your are constructing the SQL correctly, and sanitize everything properly, just by looking at the concatenation code.
Inshallah
Hmm. true. But my session variables are assigned upon logging in or some other misc functions. In other parts of the script, the session variable would be used instead of fetching from the database again. E.g. user id etc. My concern then was, is it theoretically possible for anyone to manipulate the session variables. Thank you :) These are practices I have to adopt when programming.
Lyon
+1  A: 

Theoretically, the $_SESSION variables can't be modified by the end-user

No, but the data must have come from somewhere.

You should escape any output from PHP, using the appopriate method for the destination at the point at which it leaves PHP.

C.

symcbean
Thank you symcbean :)I assume "leaving PHP" implies either mysql or writing to file?I used to use htmlspecialchars but now exclusively use filter_var and mysql_real_escape_string to process any input from users.
Lyon
Clarification: For processing input from users for use in mysql, I first sanitize the input, then use mysql_real_escape_string.So htmlentities (as opposed to htmlspecialchars) will be used when I'm outputting any data for display in the client's browser.
Lyon