Re: Using mysql_real_escape_string without connecting to mysql

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dotan Cohen schreef:
On 24/01/2008, Richard Lynch <ceo@xxxxxxxxx> wrote:
On Wed, January 23, 2008 4:04 pm, Dotan Cohen wrote:
Is the "--" here not treated as the beginning of an SQL comment?
No, because it is inside the apostrophes.

The purpose of mysql_real_escape_string (or using prepared statements)
is to mark up (or separate) the DATA from the QUERY.

The data about to be put into the database being escaped by
mysql_real_escape_string is sufficient to be sure nobody is playing
games with apostrophe followed by -- which could, in theory, insert an
SQL comment or allow them to execute arbitrary SQL code.

In that case, the function:

function clean_mysql ($dirty) {
  $dirty=str_replace ("--", "", $dirty);
  $dirty=str_replace (";", "", $dirty);
  $clean=mysql_real_escape_string($dirty);
  return $clean;
}

Can be reduced to:

function clean_mysql ($dirty) {
  $clean=mysql_real_escape_string($dirty);
  return $clean;
}

or even:

function clean_mysql ($dirty)
{
	return mysql_real_escape_string($dirty);
}

although I would make it part of a DB connection object so that
you can explicitly and transparently pass in the link id.

class myDBC
{
	private $link;

	function __construct($u, $p, $db, $cs)
	{
		// connect to given $db or throw exception
	}

	function cleanStr($s)
	{
		return mysql_real_escape_string($s, $this->link);
	}
}

just a thought.


Which basically is the same as a simple mysql_real_escape_string? In
other words, mysql_real_escape_string itself is safe from SQL
injection?

not exactly - it assumes you will use the value as a quoted string in a query.

$s = clean_mysql("foo -- bar ; ' qux")
$q = "INSERT INTO foo (bar) VALUES ('$s')";


Dotan Cohen

http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux