tags:

views:

913

answers:

5
+3  Q: 

Understanding input escaping in PHP

Hi,

One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection.

Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the form:

"Hello", said Jimmy O'Toole.

If you print/echo the input on the PHP page that receives this POST data, it comes out as:

\"Hello\", said Jimmy O\'Toole.

This is the point where it gets confusing. If I put this input string into (My)SQL and execute it, it'll go into the database fine (since quotes are escaped), but would that stop SQL injection?

If I take the input string and call something like mysqli real_escape_string on it, it comes out like this:

\\"Hello\\", said Jimmy O\\'Toole.

So when it goes into the database via (My)SQL, it ends up as:

\"Hello\", said Jimmy O\'Toole.

This obviously has too many slashes.

So if the input comes through HTTP POST as escaped, do you have to escape it again to make it safe for (My)SQL? Or am I just not seeing something obvious here?

Thanks in advance for any help.

A: 

Obvious is the keyword for a hacker.

I think escaping normally should be enough, but protecting against just the quotes might not be enough.

See this SQL Injection cheatsheet, it's a good list of test you can run and see if too many slahses is a good thing or not.

And don't forget to escape other kinds of values too, i.e. numeric fields and datetime fields can all be injected just as easily as strings.

chakrit  2009-01-19 09:36:27
+8  A: 

Ah, the wonders of magic quotes. It is making those unnecessary escapes from your POST forms. You should disable (or neutralize) them, and many of your headaches go away.

Here's an exemplary article of the subject: http://www.sitepoint.com/blogs/2005/03/02/magic-quotes-headaches/

Recap: disable magic quotes, use real_escape_string().

Henrik Paul  2009-01-19 09:38:55
You should disable them if you can. It’s better than reversing them.
Gumbo  2009-01-19 15:19:41
Magic quotes were a bandaid the PHP devs added in the past then realized it cause more problems than it fixed. Magic quotes will be removed from PHP in 6.0
TravisO  2009-01-19 18:54:41
+2  A: 

Instead of relying on escaping I would use parametrized SQL queries and let the mysql driver do whatever escaping it needs.

PEZ  2009-01-19 09:42:32
I wonder why so many people insist on going through the pain of string escaping for SQL use when paramterized queries are available. Fear of RTFM?
Tomalak  2009-01-19 09:46:58
Yes I agree, parametrized queries or store procedures are the most secure way to access a SQL server.
TravisO  2009-01-19 18:55:19
"To he who has a hammer, every problem looks like a nail." There's nothing wrong with manually writing SQL. Parameterised queries are sometimes more work than that.
staticsan  2009-01-20 01:21:55
+1  A: 

What's going on is that you have Magic Quotes turned on in your PHP configuration.

It's highly recommended that youturn magic quotes off - in fact, they've been removed from PHP 6 completely.

Once you disable magic quotes, you'll see the POSTed text coming back exactly as you typed it in to the form: "Hello", said Jimmy O'Toole. It's now obvious that you need to use the mysql escaping functions or even better, prepared statements (with prepared statements you can't forget to escape a string as it's done for you).

Greg  2009-01-19 09:44:37
+1  A: 

It looks like your PHP server has the Magic Quotes feature enabled - that's where your first set of slashes comes from. In theory, it should then be unnecessary to call the escape functions - but when the app runs on a server with magic quotes disabled, you're suddenly wide open to SQL injection while thinking you aren't.

As chakrit wrote, escaping is not the best way to protect yourself - It's much safer to user parameterized queries.

Michael Borgwardt  2009-01-19 09:45:13

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL