Results 1 to 7 of 7
  1. #1
    Join Date
    Jan 2010
    Posts
    16

    Unanswered: not using mysql_real_escape_string(), problem?

    Is not using mysql_real_escape_string before putting strings into a mysql query a security problem if you apply the following steps before (using PHP):

    1. take out all ' and ".
    2. apply stripslashes();
    3. apply addslashes
    4. put the string between apostrophes: insert into table set column='user entered string'

    Thanks,
    Last edited by nzo; 04-07-10 at 17:30.

  2. #2
    Join Date
    Jun 2007
    Location
    London
    Posts
    117
    mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
    --Source

    If you stripslashes and then addslashes - what difference have you made to the user input?

    Why take out the single and double quotes - what if you need them i.e. A user has entered a comment and you've removed those characters - once you get them back from the DB and display them, you've made it look like the commentor doesn't know how to write!

    Its probably easier and simpler just to use mysql_real_escape_string(). Why don't you want to use it?

    Further in the docs it says:
    This function must always (with few exceptions) be used to make data safe before sending a query to MySQL

  3. #3
    Join Date
    Jan 2010
    Posts
    16
    I do prefer to use mysql_real_escape_string, but a site I am working for has their own escape function, mainly for names etc so comments do not matter!

    Thanks for the info, I also read
    Code:
    This function must always (with few exceptions) be used to make data safe before sending a query to MySQL
    too which is why I was curious about how secure not using it would be.

    I guess the logic is that stripslashes would take out all slashes, and then addslashes would escape any charcters that need escapeing as in the PHP manual it states:
    Code:
    Returns a string with backslashes before characters that need to be quoted in database queries etc
    It replaces ' and " so that if data is taken out, processed in some way and then put back into a table (if it contained a ') it will not have to be escaped again.

  4. #4
    Join Date
    Jun 2007
    Location
    London
    Posts
    117
    Ah I see. I thought I would have a look around and I found out that:

    Addslashes is generally not good enough when dealing with multibyte encoded strings.
    What I've actually noticed now is that addslashes() will only take care of these characters:

    Code:
    ' \ and NUL
    Where as the mysql_real_escape_string function takes care of a lot more of dangerous characters.

    Check this out.

  5. #5
    Join Date
    Jun 2007
    Location
    London
    Posts
    117
    I thought I would do a quick test and see how well those steps work:
    Code:
    $test_string = "Adam \'\ '"; //when echo'ed: Adam \'\ '
    
    $test_string = str_replace("'", '', $test_string);
    
    $test_string = str_replace('"', '', $test_string);
    
    $test_string  = stripslashes($test_string);
    
    $test_string  = addslashes($test_string);
    
    echo $test_string; //when echo'ed: Adam \\
    Still contains slashes?? This took me 5 seconds so I probably didn't think it through, logic looks like what you described though!

  6. #6
    Join Date
    Jan 2010
    Posts
    16
    stripslashes 'Un-quotes a quoted string', so it would still contain slashes sorry i should of read the PHP page on stripslashes!

    'Adam\\' is still a valid/secure mysql insert though isnt it?

    Thanks that link is very helpful

  7. #7
    Join Date
    Jun 2007
    Location
    London
    Posts
    117
    Quote Originally Posted by nzo View Post
    'Adam\\' is still a valid/secure mysql insert though isnt it
    It is valid, that shouldn't cause any problems as far as mysql is concerned but then what happens when you decide to return the users first name? Do work to remove slashes? Inefficient!

    I would probably just use the mysql function rather than the custom function since it is an inbuilt function that works.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •