tags:

views:

131

answers:

7
Q: 

mysql_real_escape more than once

I was just wondering whether it makes a difference if I mysql_real_escape data more than once?

So if I escaped data in one part of my website, and then again in another part of code. Would this be a problem? Or make a difference?

+3  A: 

Yes. You'd get extra unnecessary backslashes.

Vilx-  2010-05-16 13:11:44
+1  A: 

Of course, data would be double-escaped.

You should not use mysql_real_escape() at all, parameterized queries via mysqli have been sticking around long enough.

Tomalak  2010-05-16 13:12:52
@ whoever downvoted this: An explanation would have been nice.
Tomalak  2010-05-16 15:09:39
+1  A: 

It is not possible to distinguish between an escaped and an unescaped string, because the thing which looks like an escaped string was the intended unescaped string. Therefore, trying to escape again, would escape the escaping - and the escaped-once text will be what MySQL reads.

Therefore, you should never escape more than once.

However, a better solution is to use paramterized queries, since then you don't need to escape at all.

Michael Madsen  2010-05-16 13:12:55
+1  A: 

Yes, it would be a problem.

For example:
if a is "Joe's House", the first call will produce "Joe\'s House" and the second one will produce "Joe\\\'s House", saving the backslash in the database.

This is similar to the problem that arises when the web server has the magic quotes enabled and you use mysql_real_escape_string on input from the client. This is solved by:

if (! get_magic_quotes_gpc()) {
    $value = mysql_real_escape_string($_GET["value"]);
} else {
    $value = mysql_real_escape_string(stripslashes($_GET["value"])); 
}

(For the latter example see http://www.php.net/get_magic_quotes_gpc )

[I edited the answer to reflect corrections in the comments below]

Dom De Felice  2010-05-16 13:13:40
Magic quotes do not perform the same escaping as mysql(i)_(real)_escape string. The right way to handle magic quotes, if you are unable to disable them, is to remove them with stripslashes, and then apply escaping if necessary (i.e., if you can't use parameterized queries). Ideally, you'd get rid of magic quotes at the very beginning, to avoid having to strip them every time you need to output them in a non-DB context.
Michael Madsen  2010-05-16 13:16:34
I won't downvote because of your score, but this approach is wrong. Escaping should be just `$value = mysql_real_escape_string($_GET["value"]);` **unconditional**. And getting rid of magic quotes is another matter that should be done far before query composing, at the very top of the script.
Col. Shrapnel  2010-05-16 13:17:21
I'll have to downvote you if you don't do `$value = mysql_real_escape_string(stripslashes($_GET["value"]));` on the last condition.
Alix Axel  2010-05-16 13:17:23
Sorry guys, I didn't know that. And thanks for the information, I will correct my code too :-)
Dom De Felice  2010-05-16 13:20:52
@Alix but this approach is wrong too. Just leave database escaping alone. It has nothing to do with magic quotes. Maguc slashes must be just stripped off, for the many reasons. Don't your app consists only of this very line?
Col. Shrapnel  2010-05-16 13:30:24
@Col. Shrapnel: I know it's wrong and I don't expect him to provide a solution for magic quotes in his answer but since he is checking for it the least he can do is provide equally good code.
Alix Axel  2010-05-16 15:01:26
+1  A: 

Yes, it will be an over-escapement problem. This is the same for any escaping, regardless of what exactly it does. For instance, if you'd escape double quotes in string following common rule:

bla "foo"

after one escaping becomes

bla \"foo\"

after two becomes

bla \\\"foo\\\"

and so on. Number of "unescapements" must exactly match number of "escapements". You could see manifestations of this problem on some sites that over-escape some characters in text fields, so that simple apostrophe becomes \' on output.

doublep  2010-05-16 13:14:01
A: 

Yes, it makes a difference:

$string = "I'm Chuck!";
mysql_escape_string($string); // I\'m Chuck!
mysql_escape_string(mysql_escape_string($string)); // "I\\\'m Chuck!
Alix Axel  2010-05-16 13:15:48
+7  A: 

The right place for mysql_real_escape is right before you send the query to save the data. Every other instance anywhere else in the script is a major design flaw.

That should preferably in an own db-class of course.

b_i_d  2010-05-16 13:16:58
The greatest point ever! I've should noted it myself.
Col. Shrapnel  2010-05-16 13:28:59
It's the right place to do it, but not the best way to handle the problem.
Blair McMillan  2010-05-16 13:42:37
@Blair care to explain a little? What problem and what's the best?
Col. Shrapnel  2010-05-16 13:47:07
The problem of handling injection. Parametrised queries are a better way of dealing with that. But like I said, your answer gives the right place to do what the OP asked.
Blair McMillan  2010-05-17 08:13:06

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL