views:

25

answers:

2

If I accidentally double escape a string, can the DB be harmed?

For the purposes of this question, let's say I'm not using stored procedures or parametrized queries

For example, let's say I get the following input:

bob's bike

And I escape that:

bob\'s bike

But my code is horrible, and escapes it again:

bob\\\'s bike

Now, if I insert that into a DB, the value in the DB will be

bob\'s bike

Which, while is not what I want, won't harm the DB. Is it possible for any input that's double escaped to do something malicious to the DB assuming that I take all other necessary security precautions?

+1  A: 

assuming that I take all other necessary security precautions

Hardcoding SQL and/or parameter values into an application should never be considered "taking the necessary security precautions", because you will always be subject to SQL injection attacks (in the case of a web application).

It's best to use stored procedures if you can, and if that's not an option, at a minimum you should be using parameterized queries (bind variables is another term for this).

But to answer your question, storing bob\'s bike in the database isn't going to do any harm in and of itself, but take care to consider the other points mentioned above, they are vitally important from a security perspective.

dcp
+1  A: 

Single escaping is equally as harmful/harmless as double escaping in terms of security.

The biggest issue is that you need to double-unescape. Otherwise, if you only single-unescape, you will end up with backslashes in database output.

For example, if you run bob\\\'s bike through the unescape() function, it will output bob\'s bike which will then be printed to the page, unless you unescape it again. But don't unescape too many times, because this can remove intentional backslashes (and possibly do more harm).

Does this question have anything to do with PHP's magic quotes feature by chance? Just curious...

Ricket