ansaurus

Question

Is this line of PHP good enough to prevent MySQL injection?

Answer 1

+4 A:

Yes, mysql_real_escape_string will correctly escape the string so this is safe from SQL injection.

Mark Byers 2010-07-29 09:40:59

You may need the `stripslashes` call if `magic_quotes_gpc` is on... call it conditionally with `if (get_magic_quotes_gpc()) { $var = stripslashes($var); } `

ircmaxell 2010-07-29 09:57:35

I'm not sure how stripslashes could cause double escaping (perhaps you were thinking addslahes)? It could however remove any slashes that are supposed to be in the text. The only reason to use stripslashes would be if you are certain the server the code is running on has magic_quotes enabled.

Cags 2010-07-29 09:59:24

OK, yes I was thinking addslashes... not paying attention! I removed the last line.

Mark Byers 2010-07-29 10:09:50

you'd better keep it. stripslashes has nothing to do here anyway

Col. Shrapnel 2010-07-29 10:15:26

@Col. Shrapnel 7 remarks here but no answer. ( although your info is very helpful ) whats the correct solution according to you?

Grumpy 2010-07-29 10:32:01

@Grumpy answer to what question? A stripslashes one? Get rid of all magiq quotes at the very beginning of the script. See also my comment th the accepted question

Col. Shrapnel 2010-07-29 10:43:18

Answer 2

A:

It will not protect you from javascript ; if this string is javascript, and you later display it on a web page, it could be executed.

To be protected from that, you could use htmlentities.

Guillaume Lebourgeois 2010-07-29 09:41:26

What is the -1 for ?

Guillaume Lebourgeois 2010-07-29 09:47:52

I wasn't the downvoter but... why bring up Javascript here? It looks like PHP server side code, and seems to have nothing to do with Javascript.

Mark Byers 2010-07-29 09:49:38

It was just a way to warn him, as he gets his data from an HTML form. If he wants to display it from database on a webpage later, there's a security issue.

Guillaume Lebourgeois 2010-07-29 09:53:51

The question was about SQL injection not XSS which is quite another story. (not a downvoter either ;) )

Mchl 2010-07-29 09:59:22

htmlentities is dead. use htmlspecialchars

Col. Shrapnel 2010-07-29 10:14:37

Answer 3

+3 A:

You can never be sure that contact will be a plain string -- it comes from "out there", which automatically makes it unsafe. You should never trust unsafe input, thus parameterized query is the only way to go.

See this article. Granted, it covers an uncommon situation, but it's better to be safe than sorry.

Anton Gogolev 2010-07-29 09:42:14

Hmmm... interesting. It's good to always be paranoid about security, but is there actually a problem here? Can you give a specific example of an input that will give problems? I'm curious, because lots of people use this method to escape strings, and if it doesn't work that's a huge problem for a lot of people.

Mark Byers 2010-07-29 09:47:42

So what if it's not a plain string? Got an example?

Col. Shrapnel 2010-07-29 10:18:30

@Mark See my edits.

Anton Gogolev 2010-07-29 10:34:27

AFAIK, mysql_set_charset() function, if used instead of SET NAMES query, does solve that problem

Col. Shrapnel 2010-07-29 10:36:29

+1 for interesting article.

Mark Byers 2010-07-29 10:38:07

@Col I'm not a PHP expert by any means - I just feel wary about all these string manipulations `mysql_real_escape_string` performs. The `_real_` part bothers me most of all: it's very likely that someday we might have `_really_real_` option.

Anton Gogolev 2010-07-29 10:42:52

That's an old article. It was a bug back in 2006, and was fixed in 2006... So no, in any recent version of MySQL (it was fixed in 5.0.22), this is not an issue...

ircmaxell 2010-07-30 10:56:11

Answer 4

+3 A:

bluebit, your code is secure with regard that you're protecting against SQL Injection but you're not secure against things like XSS (Cross Site Scripting). This is the ability to pass Javascript into this field and then when you output it, you're outputting the Javascript.

To avoid this you can run your input through strip_tags() www.php.net/strip_tags this will remove all HTML tags from your input, thus getting rid of

Here is a nice function that you can reuse for all inputs you're receiveing from $_POST and wish to secure

$cleanInput = cleanPost($_POST['contact']);

function cleanPost($item) {
    return mysql_real_escape_string(strip_tags(stripslashes($item)));
}

There is also a built-in function in PHP for handling input types called filter_var() This allows you to specify wether you want to remove HTML and such, just like strip_tags()

Hopet this you realise you need to protect against SQL Injection and XSS.

Paul Dragoonis 2010-07-29 10:01:34

Absolutely. I output the results in a wordpress plugin, so this is quite a scary thought for me. I've added the strip_tags function :)

bluebit 2010-07-29 10:04:30

If you pass in <script>alert('injected');</script> into your contact field and submit it, see if wordpress is cleverly stripping out tags or not for you. If it's not when you display $_POST['contact'] on your webpage you should receive a javascript alert box.

Paul Dragoonis 2010-07-29 10:08:32

Making such a functions is terrible idea. There is no "clean" data format, but totally independent format rules. Too bad this answer been accepted by fellow no-cluer

Col. Shrapnel 2010-07-29 10:12:27

all three functions should be used in separate places and for the different data sets. stripslashes on input data at the very beginning of the script. mysql_real_escape_string on the data goes to the query, at the query building time. And strip-tags on the untrusted data only, preferably at output time

Col. Shrapnel 2010-07-29 10:19:48

Give the guy a break, he's just looking for an easy way to sanitise input fields for plain text in wordpress.

Paul Dragoonis 2010-07-29 13:07:10

ansaurus

tags:

views:

answers:

Is this line of PHP good enough to prevent MySQL injection?

related questions