On 22 July 2016 10:53:44 BST, German Geek <geek.de@xxxxxxxxx> wrote: >mysql_real_escape_string is by far better than a simple regex. The post >on >stackoverflow is a bit misleading. > >Select * from table where id = 1 or true > >Would select all, yes. One should always put the value into single >quotes. >That way the "attack " from the stackoverflow post isn't possible at >all. >Strings in sql can also be used when the value is a non string type >like >integer. > >The above query would become > >select * from table where id = '1 or true' > >Now there is no injection possible because ' is illegal. > >Select * from table where id = '1' > >Will still work as expected. > >However, parameterized queries simplify injection prevention and if >possible should be preferred. > >Knowing that any value can be forced to be literal with single quotes >is >probably the most useful piece of information here. > >On Fri, Jul 22, 2016, 09:08 Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> >wrote: > >> On Thu, 2016-07-21 at 23:04 -0400, Omega -1911 wrote: >> > On Thu, Jul 21, 2016 at 9:50 PM, Aziz Saleh <azizsaleh@xxxxxxxxx> >wrote: >> > >> > > Prepared statements have nothing to do with htmlentities >(probably >> since >> > > its an old code it was doing it wrong, should have been using >> > > mysql_real_escape_string). >> > > >> > > >> > That is NOT true. To rely on mysql_real_escape_string still leaves >an >> open >> > window to attack: >> > >> >http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string >> > >> > A simple regex (or so) to only allow approved characters would be >better >> > practice. >> >> That would NOT be a better practice, as your regex would need to be >> unnecessarily complicated for all the characters you want to allow >(and >> what about poor old Patrick O'Leary who you just prevented entry to >your >> form because they have an apostrophe in their name that you forgot to >> include? >> >> >https://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ >> ) >> >> Use prepared statements with PDO, they will protect you to the level >you >> want. At this point anything is better than the mysql_* functions you >> appear to be using. >> >> htmlentities() is only for presentation to a browser when the content >is >> HTML. It's very bad practice to use this on content before entering >it >> into a DB, as that's modifying the content in a way that can't be >easily >> undone (e.g. if the content already legitimately had encoded HTML in >> there.) >> >> Thanks, >> Ash >> >> http://www.ashleysheridan.co.uk >> >> >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> Neither mysql_* functions or Regex should be used for this sort of thing. If you do, then you're your code is broken. The mysql_* functions have been deprecated for years. As for the Regex, Jamie Zawinski said it well with: 'Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems' -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
