tags:

views:

280

answers:

4
Q: 

PHP protecting itself from SQL injections?

When I send ");-- from an input field to my localhost PHP server, it AUTOMATICALLY converts it to

\");--

It seems great, except that I don't know how trustworthy this behavior is. Although it seems to avoid SQL injections, my development environment is not the same as the production environment and I'm afraid that the production environment may not have this sort of protection automatically activated...

Why does PHP does this(convert the input without having to use mysql_real_escape_string)? Does it always do it or only with certain extensions? Is it safe to rely on this behavior to prevent SQL injections?

+6  A: 

It seems that you have Magic Quotes enabled. But you better disable this option or revert them. mysql_real_escape_string is more secure.

Gumbo  2009-03-15 18:44:33
Yes, I had heard about them, but I never knew exactly what they were. I felt unsafe since I didn't know exactly what was going on. That's why I asked this. I'm going to turn it off so I can get control over my server again.
luiscubal  2009-03-15 18:56:38
I recommend you to read one of the questions here on SO that explain why Magic Quotes are bad practice and show the difference between Magic Quotes and `mysql_real_escape_string()`.
Gumbo  2009-03-15 19:01:28
Actually, if you have the option, use prepared statements instead of escaping data.
troelskn  2009-03-15 20:19:06
I'm not sure my server supports them, but I'll remember that name. The concept seems interesting, but doesn't seem to magically remove the injection threat - mysql_real_escape_string still seems to be needed.
luiscubal  2009-03-15 21:41:04
PDO has prepared statements. That has been standard from version 5.1. You don't use explicit escaping (mysql_real_escape_string) when you use prepared statements.
troelskn  2009-03-16 09:39:33
+1  A: 

This "feature" of PHP is known as "magic quotes". As 'magic' as they may be, it is extremely bad practice to use them, as they do little more than give a false sense of security. Thankfully they have been removed from PHP 6 (in development).

A more detailed list of criticisms can be found in this Wikipedia article.

The PHP manual describes various ways to disable magic quotes.

MattJ  2009-03-15 18:52:16
+1  A: 

You might want to get into talking to the database using an abstraction layer like Zend_Db. For example, if you create a select statement by instantiating a Zend_Db_Select, it would look like this:

//$_GET['thing'] is automatically escaped 
$select = $zdb->select()->from('things')->where('name = ?',$_GET['thing']);
$result = $zdb->fetchRow($select->__toString());//__toString generates a really pretty, vendor independent query

//a plain vanilla query would look like this:
$result = $zdb->fetchRow('select * from things where name = ?', $zdb->quote($_GET['thing']);
karim79  2009-03-15 19:43:58
The abstraction layer is a really good idea.
 2009-03-16 00:53:48
A: 

You have Magic Quotes turned on. The PHP group officially deprecated this function strongly, and strongly discourages relying on it. Ways to disable magic quotes at runtime don't always work, weather you use .htaccess or ini_set() in the script. Calling stripslashes all the time can also become pretty messy.

More details: http://ca3.php.net/magic_quotes

Wadih M.  2009-03-17 14:39:29

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases