not using mysql_real_escape_string(), problem?

nzo · #1 (**permalink**) 04-07-10, 16:27

Is not using mysql_real_escape_string before putting strings into a mysql query a security problem if you apply the following steps before (using PHP):

1. take out all ' and ".
2. apply stripslashes();
3. apply addslashes
4. put the string between apostrophes: insert into table set column='user entered string'

Thanks,

compsci · #2 (**permalink**) 04-07-10, 17:12

Quote:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

--Source

If you stripslashes and then addslashes - what difference have you made to the user input?

Why take out the single and double quotes - what if you need them i.e. A user has entered a comment and you've removed those characters - once you get them back from the DB and display them, you've made it look like the commentor doesn't know how to write!

Its probably easier and simpler just to use mysql_real_escape_string(). Why don't you want to use it?

Further in the docs it says:

Quote:

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL

nzo · #3 (**permalink**) 04-08-10, 05:01

I do prefer to use mysql_real_escape_string, but a site I am working for has their own escape function, mainly for names etc so comments do not matter!

Thanks for the info, I also read

Code:

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL

too which is why I was curious about how secure not using it would be.

I guess the logic is that stripslashes would take out all slashes, and then addslashes would escape any charcters that need escapeing as in the PHP manual it states:

Code:

Returns a string with backslashes before characters that need to be quoted in database queries etc

It replaces ' and " so that if data is taken out, processed in some way and then put back into a table (if it contained a ') it will not have to be escaped again.

compsci · #4 (**permalink**) 04-08-10, 05:47

Ah I see. I thought I would have a look around and I found out that:

Quote:

Addslashes is generally not good enough when dealing with multibyte encoded strings.

What I've actually noticed now is that addslashes() will only take care of these characters:

Code:

' \ and NUL

Where as the mysql_real_escape_string function takes care of a lot more of dangerous characters.

Check this out.

compsci · #5 (**permalink**) 04-08-10, 05:51

I thought I would do a quick test and see how well those steps work:

Code:

$test_string = "Adam \'\ '"; //when echo'ed: Adam \'\ '

$test_string = str_replace("'", '', $test_string);

$test_string = str_replace('"', '', $test_string);

$test_string  = stripslashes($test_string);

$test_string  = addslashes($test_string);

echo $test_string; //when echo'ed: Adam \\

Still contains slashes?? This took me 5 seconds so I probably didn't think it through, logic looks like what you described though!

nzo · #6 (**permalink**) 04-08-10, 07:40

stripslashes 'Un-quotes a quoted string', so it would still contain slashes sorry i should of read the PHP page on stripslashes!

'Adam\\' is still a valid/secure mysql insert though isnt it?

Thanks that link is very helpful

compsci · #7 (**permalink**) 04-08-10, 09:03

Quote:

Originally Posted by nzo

'Adam\\' is still a valid/secure mysql insert though isnt it

It is valid, that shouldn't cause any problems as far as mysql is concerned but then what happens when you decide to return the users first name? Do work to remove slashes? Inefficient!

I would probably just use the mysql function rather than the custom function since it is an inbuilt function that works.

Internet Services

Web Development

Digital Marketing

Consumer Tech