Re: MySql Injection advice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On July 11, 2009 08:21:34 pm Haig Dedeyan wrote:
> On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan <hdedeyan@xxxxxxxxxxxx> wrote:
> > On July 11, 2009 10:57:14 am Haig Dedeyan wrote:
> > > At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote:
> > >
> > > [1]
> > >
> > > >$fname = mysql_real_escape_string($fname);
> > > >$lname = mysql_real_escape_string($lname);
> > > >
> > > >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE
> > > > id=$id"; $result = mysql_query($sql);
> > > >echo mysql_error() . "\n";
> > > >
> > > >This will result in the addition of the slashes.
> > >
> > > [2]
> > >
> > > >If I do the following, there are no slashes. Just wondering if I'm on
> >
> > the
> >
> > > >right path with the 1st code set..
> > > >
> > > >$sql = "UPDATE phonedir SET fname =
> > > >'".mysql_real_escape_string($fname)."',lname =
> > > >'".mysql_real_escape_string($lname)."'  WHERE id=$id";
> > > >$result = mysql_query($sql);
> > > >echo mysql_error() . "\n";
> > >
> > > Haig:
> > >
> > > Interesting, I did not know that -- that sounds like a bug to me --
> > > both should be the same.
> > >
> > > However, I commonly do [1] and when I have to display the data to a
> > > browser, then I use htmlentities() and stripslashes() before
> > > displaying the data. That way names like O'Brian appear correctly --
> > > else they appear 0\'Brian.
> > >
> > > Now maybe I'm doing something wrong, but this way works for me. If
> > > there is a better way, I would like to here it.
> > >
> > > Cheers,
> > >
> > > tedd
> >
> > Thanks Tedd.
> >
> > I did more testing and here's what I have found.
> >
> > @PHPSter - magic quotes are off
> >
> >
> > Just entering simple data where an apostrophe is part of the data.
> >
> > The following code is entering the slash but that's becuase I am escaping
> > it
> >
> >
> >
> >
> > twice since mysql_num_rows is throwing an error if an apostrophe is in
> > its search:
> >
> > 1 -
> > $new_fname = mysql_real_escape_string($new_fname);
> > $new_lname = mysql_real_escape_string($new_lname);
> >
> > $result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname'
> > && lname = '$new_lname'");
> > $num_rows = mysql_num_rows($result);
>
> The error message may be saying the mysql_num_rows is throwing an error but
> actual error is on mysql_query function level (Not a correct query)
>
> > if($num_rows > 0)
> >
> >          {
> >                echo $fname." ".$lname." already exists";
> >          }
> >
> > else
> >        {
> >
> > mysql_query("INSERT INTO phonedir
> > (fname, lname)
> >
> > VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_st
> >ring($new_lname)."')") or die(mysql_error());
>
> BTW twice escaping is  not good
>
> > 2 - If I do the same code above without the mysql_num_rows and no
> > escaping, the data doesn't get entered.
> >
> > I think this is normal behaviour.
> >
> > Welcome to hell of quotes :(
> >
> >
> >
> >
> >
> >
> > 3 - If I do any of the 2 following sets of code where there is 1 instance
> > of
> > escaping, the data gets entered with the apostrophe but I don't see any
> > back
> > slash entered.
> >
> > The part that I am concerned about is if I should be seeing the backslash
> > entered without having to double escape,
>
> Please see magic_quotes_runtime setting configuration...
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtim
>e
>
> If it is enables it will automatically removed the slashes from any
> external source including databases...
> It was there to make the life of developer somewhat easier (!!!!)...
> magic quotes things are deprecated and completely will be removed in PHP 6
>
> > $new_fname = mysql_real_escape_string($new_fname);
> > $new_lname = mysql_real_escape_string($new_lname);
> >
> >
> > $result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname'
> > && lname = '$new_lname'");
> > $num_rows = mysql_num_rows($result);
> >
> > if($num_rows > 0)
> >
> >          {
> >                echo $fname." ".$lname." already exists";
> >          }
> >
> > else
> >        {
> >
> > mysql_query("INSERT INTO phonedir
> > (fname, lname) VALUES('$new_fname','$new_lname')")
> > or die(mysql_error());
> >
> >
> >
> > or
> >
> >
> > mysql_query("INSERT INTO phonedir
> > (fname, lname)
> >
> > VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_st
> >ring($new_lname)."')") or die(mysql_error());


Thansk Zareef.

Magic quotes are off. This is what my php ini says:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), 
etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off



I won;t be using 2x escapes but I just need to know if I should be seeing the 
backslash in the dbase.



@Tedd - I will be looking into prepared statements eventually but I still want 
to understand escaping.

Cheers

Haig

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux