Posted by Jerry Stuckle on 11/19/06 13:43

Andrew C wrote:
> "Jerry Stuckle" <jstucklex@attglobal.net> wrote in message
> news:GJOdnYFLJMolnsPYnZ2dnUVZ_q-dnZ2d@comcast.com...
>
>>gzerphey wrote:
>>
>>>Thank you in advance for helping.
>>>
>>>I have a bit of a problem with MySQL and PHP working together. More
>>>specifically when i use htmlspecialchars() to encode my text then load
>>>it into the database, it is interpreting the special characters and
>>>decoding them.
>>>
>>>Is there any way that I can perserve this coding and make sure it says
>>>in my database?
>>>
>>>Example:
>>>
>>>Here is what is entered -- t%20t
>>>Here is what is showing in the database now -- t t
>>>here is what I would like to see -- t%20t
>>>
>>>Thank you again,
>>>
>>
>>htmlspecialchars() is for displaying special characters, not storing them
>>in the database. You should be using it to display the data, not place it
>>in the database.
>>
>>What you should do is store the data as is entered (use
>>mysql_real_escape_string() to handle any database-specific special
>>characters).
>
>
> (Apologies for thread hijacking...)
>
> I took a look at the PHP documentation for mysql_real_escape_string()
> (http://uk.php.net/manual/en/function.mysql-real-escape-string.php) and saw
> an example of an 'SQL Injection Attack' (Example 2 on that page) along with
> their solution (Example 3).
>
> In their example, wouldn't magic quotes be sufficient to thwart the attack?
>

First of all, magic_quotes is bad. It changes the data without the
user's knowledge. Even worse, it can be turned on or off - either
breaking scripts or requiring extra gyrations to handle either on or off.

Second, mysql_real_escape_string() is a mysql function sensitive to the
charset in use in the table. It is also designed specifically for
inserting into/updating a MySQL database. magic_quotes is a generic
function, not sensitive to character sets.

> In their example, someone supplies $_POST['password'] of "' OR ''='". With
> magic quotes on, this would become "\' OR \'\'=\'", correct? When used in
> their example query, this would be:
>
> SELECT * FROM users WHERE user='username' AND password='\' OR \'\'=\''
>
> Wouldn't that be okay?
>
> I would be grateful if someone could point out any misunderstandings I have.
>
> Thanks.
>
> A.
>
>

While magic_quotes *could* be sufficient, it's much better to use the
function designed for the job.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: Some commands execute via PHP "system", some don't--why?
• Prev in forum: Re: i dont understand why this wont run
• Thread view: Re: PHP and MySql

[Reply to this message]