php security - Page 3 - Webmaster Forum - Web Design, Programming and SEO forums

06-09-2005, 04:32 PM

#21

Travis

Status: Member
Join date: Jul 2004
Location:
Expertise:
Software:

Posts: 445

iTrader: 0 / 0%

Travis is on a distinguished road

Koobi, if you want to use mysql_real_escape_characters() look at Example 3 in the php documentation.

Here is the reason why ' is converted to \\\' in your code where the case is true:
If magic quotes are off slashes are added but then they are again added with the mysql_real_escape_string(); function. If magic quotes are not off (i.e., on) then nothing happens to the string because it has already been changed to \'. Again the query goes through again and then executes mysql_real_escape_string(); and adds slashes again to both of those becoming \\\'. The only reason it works for numbers is that numbers dont have quotes or special characters and the string is not changed at all.

In the case when the code is false, you want to get ' from \\\':
The problem here is that if magic quotes are on the string that was converted to \' is stripped back to '. If they are on then it stays like '.
' != \\\' and therefore it does not work!

06-09-2005, 04:47 PM

#22

Travis

Status: Member
Join date: Jul 2004
Location:
Expertise:
Software:

Posts: 445

iTrader: 0 / 0%

Travis is on a distinguished road

This is pretty much the function they have on php.net I was talking about:

PHP Code:


			
<?php 



function escapeSql($badQuery) { 



     $badQuery = (get_magic_quotes_gpc()) ? stripslashes($badQuery) : $badQuery; 



      $badQuery = (!is_numeric($value)) ? mysql_real_escape_string($badQuery) : $badQuery;

     

       return $badQuery; 



} 



?>

The funciton addslashes() is currently fine for doing this. The only reason why you would use mysql_real_escape_string() instead is in case the implementation of these change later. So therefore the function above is probably the best of all three we have seen so far. Not to say though that my other function will not work now if you try it.

You really dont need all the TRUE, FALSE, one for Input, one for output stuff. If you are doing that and it actually works then you really aren't using a very effecient method in my opinion. Why have two seperate things for queries when you can just use the the same for all queries? Also probably saves the server a bit of time having to do two conversions (not that it would make a big deal but if you want to get really picky).

06-09-2005, 06:16 PM

#23

Salathe

Status: Community Archaeologist
Join date: Jul 2004
Location: Scotland
Expertise: Software Development
Software: vim, PHP

Posts: 3,820

iTrader: 25 / 100%

Salathe will become famous soon enough

Whilst we're all sharing code snippets, I'll show you what I use in my DB class just for fun. It's pretty much what Trav has got above.

PHP Code:


			
function escape($value)

{

    // Stripslashes

    if (function_exists('get_magic_quotes_gpc'))

    {

        if (get_magic_quotes_gpc())

        {

            $value = stripslashes($value);

        }

    }

    // Quote if not integer

    if (!is_numeric($value)) {

        $value = "'" . mysql_real_escape_string($value) . "'";

    }

    return $value;

}

I like to add the single speech marks around non-numeric values within the function just because it makes this tidier and easier for me later on (when constructing the SQL statements).

One note that no-one has picked up on as yet. It is all well and good having these super-dooper functions to stop any problems, but you must remember to use them all the time. Just one use of data input being used in the statement without being fully checked and your system could be compromised... it is only as strong as the weakest link.