Re: MySql Injection advice

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi gang:

I am top posting only to show that the following post makes no sense as to who said what.

At what point here Zareef, did you think you were helping anyone? Or is this more of your "I'm going to do whatever I want" attitude?

I would hate to review code with such lack of forethought and consideration for others to read.

tedd

-- totally useless post follows:


At 5:51 AM +0530 7/12/09, Zareef Ahmed wrote:
On Sun, Jul 12, 2009 at 4:09 AM, Haig Dedeyan <<mailto:hdedeyan@xxxxxxxxxxxx>hdedeyan@xxxxxxxxxxxx> wrote:

On July 11, 2009 10:57:14 am Haig Dedeyan wrote:
 At 10:12 PM -0400 7/10/09, Haig Dedeyan wrote:

 [1]

 >$fname = mysql_real_escape_string($fname);
 >$lname = mysql_real_escape_string($lname);
 >
 >$sql = "UPDATE phonedir SET fname = '$fname',lname = '$lname' WHERE
 > id=$id"; $result = mysql_query($sql);
 >echo mysql_error() . "\n";
 >
 >This will result in the addition of the slashes.

 [2]

 >If I do the following, there are no slashes. Just wondering if I'm on the
 >right path with the 1st code set..
 >
 >$sql = "UPDATE phonedir SET fname =
 >'".mysql_real_escape_string($fname)."',lname =
 >'".mysql_real_escape_string($lname)."'  WHERE id=$id";
 >$result = mysql_query($sql);
 >echo mysql_error() . "\n";

 Haig:

 Interesting, I did not know that -- that sounds like a bug to me --
 both should be the same.

 However, I commonly do [1] and when I have to display the data to a
 browser, then I use htmlentities() and stripslashes() before
 displaying the data. That way names like O'Brian appear correctly --
 else they appear 0\'Brian.

 Now maybe I'm doing something wrong, but this way works for me. If
 there is a better way, I would like to here it.

 Cheers,

 tedd

Thanks Tedd.

I did more testing and here's what I have found.

@PHPSter - magic quotes are off


Just entering simple data where an apostrophe is part of the data.

The following code is entering the slash but that's becuase I am escaping it




twice since mysql_num_rows is throwing an error if an apostrophe is in its
search:

1 -
$new_fname = mysql_real_escape_string($new_fname);
$new_lname = mysql_real_escape_string($new_lname);

$result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' &&
lname = '$new_lname'");
$num_rows = mysql_num_rows($result);


The error message may be saying the mysql_num_rows is throwing an error but actual error is on mysql_query function level (Not a correct query)


if($num_rows > 0)

         {
               echo $fname." ".$lname." already exists";
         }

else
       {

mysql_query("INSERT INTO phonedir
(fname, lname)
VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
or die(mysql_error());


BTW twice escaping is  not good




2 - If I do the same code above without the mysql_num_rows and no escaping,
the data doesn't get entered.

I think this is normal behaviour.

Welcome to hell of quotes :(






3 - If I do any of the 2 following sets of code where there is 1 instance of
escaping, the data gets entered with the apostrophe but I don't see any back
slash entered.

The part that I am concerned about is if I should be seeing the backslash
entered without having to double escape,


Please see magic_quotes_runtime setting configuration...
<http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime>http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-runtime

If it is enables it will automatically removed the slashes from any external source including databases...
It was there to make the life of developer somewhat easier (!!!!)...
magic quotes things are deprecated and completely will be removed in PHP 6



$new_fname = mysql_real_escape_string($new_fname);
$new_lname = mysql_real_escape_string($new_lname);


$result = mysql_query("SELECT * FROM phonedir WHERE fname = '$new_fname' &&
lname = '$new_lname'");
$num_rows = mysql_num_rows($result);

if($num_rows > 0)

         {
               echo $fname." ".$lname." already exists";
         }

else
       {

mysql_query("INSERT INTO phonedir
(fname, lname) VALUES('$new_fname','$new_lname')")
or die(mysql_error());



or


mysql_query("INSERT INTO phonedir
(fname, lname)
VALUES('".mysql_real_escape_string($new_fname)."','".mysql_real_escape_string($new_lname)."')")
or die(mysql_error());




--
Zareef Ahmed :: A PHP Developer in India ( Delhi )
Homepage :: <http://www.zareef.net>http://www.zareef.net


--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux