tags:

views:

127

answers:

3
+3  Q: 

What characters are NOT escaped with a mysqli prepared statement?

Hey everyone,

I'm trying to harden some of my PHP code and use mysqli prepared statements to better validate user input and prevent injection attacks.

I switched away from mysqli_real_escape_string as it does not escape % and _. However, when I create my query as a mysqli prepared statement, the same flaw is still present. The query pulls a users salt value based on their username. I'd do something similar for passwords and other lookups.

Code:

$db = new sitedatalayer();

if ($stmt = $db->_conn->prepare("SELECT `salt` FROM admins WHERE `username` LIKE ? LIMIT 1")) {

  $stmt->bind_param('s', $username);
  $stmt->execute();
  $stmt->bind_result($salt);


  while ($stmt->fetch()) { 
    printf("%s\n", $salt);
  } 

  $stmt->close();    

}

else return false;
  • Am I composing the statement correctly?
  • If I am what other characters need to be examined? What other flaws are there?
  • What is best practice for doing these types of selects?

Thanks,

+7  A: 

% is not an inherently harmful character.

The question is: why are you using a LIKE in the first place? Are there any circumstances in which you wouldn't require an exact match for username?

The query should be simply:

SELECT `salt` FROM admins WHERE `username` = ? LIMIT 1

In that case, if I were to enter %bsmith my username would have to be (literally) "%bsmith" in order for you to find a match.

VoteyDisciple  2010-06-14 16:04:56
Thanks - I tried using an = sign earlier and my query didnt work. Must have had an error somewhere else. Works now.
barfoon  2010-06-14 16:10:37
A: 

You are confusing two different levels of evaluation here.

The LIKE operator takes a string and evaluates any '%' and '_' as placeholders.

The job of query parameters is it only to bring values (e.g. strings) verbatim to the database engine, so they cannot be mistaken for SQL code. They don't care how the LIKE operator makes special use of certain characters within the string they've just transported. Everything just works as designed here.

If you want exact matches, use the = operator in place of LIKE.

If you must use LIKE (even though your LIMIT 1 indicates otherwise here), escape the the special characters accordingly yourself beforehand.

Tomalak  2010-06-14 16:07:17
If they are placed verbatim, then why use prepared statements and not just insert $username right into a string?
barfoon  2010-06-14 16:09:18
@barfoon: As I said, parameters work on the "SQL string literal" level. They make sure string literals do not break. `LIKE` works one abstraction level higher, because it interprets the string *contents* according to its own rules. Parameters play no part here anymore, all they do is making sure your SQL statement does not break.
Tomalak  2010-06-14 16:12:17
A: 

One who use LIKE to match a username IS wrong. Not escaping function.

And, just for your info: native prepared statements do not escape anything.

Col. Shrapnel  2010-06-14 16:08:10
ADODB and PDO for PHP uses mysql_real_escape_string(), if you don't believe me, look at the code, i have. I should give you a -1, but i think i have given you enough of 'em :p
Rook  2010-06-14 16:20:36
Okay well i still care about incorrect statements `prepared statements do not escape anything.`
Rook  2010-06-14 16:52:02
@Col. Shrapnel for the record i didn't give you the -1.
Rook  2010-06-14 17:41:31

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases