tags:

views:

81

answers:

4
Q: 

quotes in queries

I have a mysql query which requires that parameters be enclosed in either "" or '',

if I have an array passed to this function:

function orderbyfield($column, array $selection)
{
 // will it be alright (secure) to do this?
 foreach ($selection as $s)
 {
  $s = '"' . $s . '"';
 }
 $string = implode(',', $selection)
 return array($column, $string);
}

and pass it to

function generate_sql()
{
 $fields = $this->orderbyfield(); // assuming the code is in a class
 $sql = 'SELECT FIELDS FROM TABLE ORDER BY FIELD (' . $fields[0] . ',' . mysql_real_escape_string($fields[1]));
}

will there be any security issues with this approach?

EDIT assume that code is in a class, made necessary addition of $this->

EDIT typo on the foreach

A: 

Because you are using the mysql_real_escape_string function, it is pretty safe as far as strings are concerned. See dealing with sql injection for more info.

Sarfraz  2010-01-26 07:21:25
A: 

You should add quotes arround your string, but there quotes inside your strings themselves should also be escaped -- this can be done using mysql_real_escape_string, mysqli_real_escape_string, or PDO::quote, depending on the kind of functions/methods you are using to connect to your database.

Doing this (As you are already doing -- which is nice) should prevent SQL injections (at least for string : you should also check that numerics are indeed corresponding to numerical data, for instance)


Another solution, maybe a bit easier once you get it, would be to use Prepared statements.
See :

Pascal MARTIN  2010-01-26 07:49:46
A: 

As others have said you should be using mysql_real_escape_string at the point where you create the query string. Also, although the database may be able to cast between types, not all the variables need to be quoted in queries:

function enclose($val, $dbh)
{
  if (($val==='') || (is_null($val))) {
       return 'NULL';
  }
  // is it a number?
  if (preg_match('/^[\+-]*\d+\.?\d*$/', $val)) {
      return($val);
  }
  // its a string
  return("'" . mysql_real_escape_string($val, $dbh) . "'");
}

The null handling might need to be tweaked. (the above is cut down from a generic interface I use which also reads the structure of the table using DESCRIBE to get hints on when to quote/use nulls etc)

C.

symcbean  2010-01-26 12:22:22
A: 

If you're using PDO's prepared statements, you do not have to worry about the escaping yourself. No quotes, no backslashes, no nothing.

middus  2010-01-26 12:25:38

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL