Re: MySql Injection advice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/7/12 Haig Dedeyan <hdedeyan@xxxxxxxxxxxx>

> On July 11, 2009 08:21:34 pm Haig Dedeyan wrote:
> > On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan <hdedeyan@xxxxxxxxxxxx>
> wrote:
> > > On July 11, 2009 10:57:14 am Haig Dedeyan wrote:
> > > > At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote:
> > > >
> > > > [1]
> > > >
> > > > >$fname = mysql_real_escape_string($fname);
> > > > >$lname = mysql_real_escape_string($lname);
> > > > >
> > > > >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE
> > > > > id=$id"; $result = mysql_query($sql);
> > > > >echo mysql_error() . "\n";
> > > > >
> > > > >This will result in the addition of the slashes.
> > > >
> > > > [2]
> > > >
> > > > >If I do the following, there are no slashes. Just wondering if I'm
> on
> > >
> > > the
> > >
> > > > >right path with the 1st code set..
> > > > >
> > > > >$sql = "UPDATE phonedir SET fname =
> > > > >'".mysql_real_escape_string($fname)."',lname =
> > > > >'".mysql_real_escape_string($lname)."' WHERE id=$id";
> > > > >$result = mysql_query($sql);
> > > > >echo mysql_error() . "\n";
> > > >
> > > > Haig:
> > > >
> > > > Interesting, I did not know that -- that sounds like a bug to me --
> > > > both should be the same.
> > > >
> > > > However, I commonly do [1] and when I have to display the data to a
> > > > browser, then I use htmlentities() and stripslashes() before
> > > > displaying the data. That way names like O'Brian appear correctly --
> > > > else they appear 0\'Brian.
> > > >
> > > > Now maybe I'm doing something wrong, but this way works for me. If
> > > > there is a better way, I would like to here it.
> > > >
> > > > Cheers,
> > > >
> > > > tedd
> > >
> > > Thanks Tedd.
> > >
> > > I did more testing and here's what I have found.
> > >
> > > @PHPSter - magic quotes are off
> > >
> > >
> > > Just entering simple data where an apostrophe is part of the data.
> > >
> > > The following code is entering the slash but that's becuase I am
> escaping
> > > it
> > >
> > >
> > >
> > >
> > > twice since mysql_num_rows is throwing an error if an apostrophe is in
> > > its search:
> > >
> > > 1 -
> > > $new_fname = mysql_real_escape_string($new_fname);
> > > $new_lname = mysql_real_escape_string($new_lname);
> > >
> > > $result = mysql_query("SELECT * FROM phonedir WHERE fname =
> '$new_fname'
> > > && lname = '$new_lname'");
> > > $num_rows = mysql_num_rows($result);
> >
> > The error message may be saying the mysql_num_rows is throwing an error
> but
> > actual error is on mysql_query function level (Not a correct query)
> >
> > > if($num_rows > 0)
> > >
> > > {
> > > echo $fname." ".$lname." already exists";
> > > }
> > >
> > > else
> > > {
> > >
> > > mysql_query("INSERT INTO phonedir
> > > (fname, lname)
> > >
> > >
> VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_st
> > >ring($new_lname)."')") or die(mysql_error());
> >
> > BTW twice escaping is not good
> >
> > > 2 - If I do the same code above without the mysql_num_rows and no
> > > escaping, the data doesn't get entered.
> > >
> > > I think this is normal behaviour.
> > >
> > > Welcome to hell of quotes :(
> > >
> > >
> > >
> > >
> > >
> > >
> > > 3 - If I do any of the 2 following sets of code where there is 1
> instance
> > > of
> > > escaping, the data gets entered with the apostrophe but I don't see any
> > > back
> > > slash entered.
> > >
> > > The part that I am concerned about is if I should be seeing the
> backslash
> > > entered without having to double escape,
> >
> > Please see magic_quotes_runtime setting configuration...
> >
> http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtim
> >e
> >
> > If it is enables it will automatically removed the slashes from any
> > external source including databases...
> > It was there to make the life of developer somewhat easier (!!!!)...
> > magic quotes things are deprecated and completely will be removed in PHP
> 6
> >
> > > $new_fname = mysql_real_escape_string($new_fname);
> > > $new_lname = mysql_real_escape_string($new_lname);
> > >
> > >
> > > $result = mysql_query("SELECT * FROM phonedir WHERE fname =
> '$new_fname'
> > > && lname = '$new_lname'");
> > > $num_rows = mysql_num_rows($result);
> > >
> > > if($num_rows > 0)
> > >
> > > {
> > > echo $fname." ".$lname." already exists";
> > > }
> > >
> > > else
> > > {
> > >
> > > mysql_query("INSERT INTO phonedir
> > > (fname, lname) VALUES('$new_fname','$new_lname')")
> > > or die(mysql_error());
> > >
> > >
> > >
> > > or
> > >
> > >
> > > mysql_query("INSERT INTO phonedir
> > > (fname, lname)
> > >
> > >
> VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_st
> > >ring($new_lname)."')") or die(mysql_error());
>
>
>
> Thansk Zareef.
>
>
> Magic quotes are off. This is what my php ini says:
>
>
> ; Magic quotes for incoming GET/POST/Cookie data.
> magic_quotes_gpc = Off
>
>
> ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(),
> etc.
> magic_quotes_runtime = Off
>
>
> ; Use Sybase-style magic quotes (escape ' with '' instead of \').
> magic_quotes_sybase = Off
>
>
This is fine, But just for final confirmation of actual values at the
runtime can you try to get the value of function get_magic_quotes_runtime
function in your script.

var_dump(get_magic_quotes_runtime);

possibility of using a different php.ini  or modifying values of variables
at runtime is also there :)



>
>
>
> I won;t be using 2x escapes but I just need to know if I should be seeing
> the backslash in the dbase.
>
>
>
>
> @Tedd - I will be looking into prepared statements eventually but I still
> want to understand escaping.
>
>
> Cheers
>
>
> Haig
>



-- 
Zareef Ahmed :: A PHP Developer in India ( Delhi )
Homepage :: http://www.zareef.net

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux