|
|
Posted by Gleep on 03/24/07 19:54
On 23 Mar 2007 23:20:16 -0700, "shimmyshack" <matt.farey@gmail.com> wrote:
>On 24 Mar, 03:27, Gleep <G...@Gleep.com> wrote:
>> On Fri, 23 Mar 2007 20:09:57 GMT, "Simon Harris" <too-much-s...@makes-you-fat.com> wrote:
>> >Hi All,
>>
>> >I am using mysql_real_escape_string() on strings before they are entered
>> >into mySQL. This has worked Ok, but when I get the information out,
>> >single/double quotes are preceeded with a \ (Escaped) so,
>> >"Something in quotes" becomes \"something in quotes\"
>>
>> >Do I need to replace \" with " before I print the string to the page? Or am
>> >I missing something? Is there an opposite to mysql_real_escape_string() that
>> >I should call on the string when reading the data from mySQL? Or perhaps I
>> >have totally missed the point of this function? :)
>>
>> >Any help/suggestions muchly appreciated!
>>
>> >Simon.
>>
>> >--
>>
>> I wrote up this function to prevent sql injections
>> i didn't test it - but it should work
>>
>> function cleanVar($str) {
>> if(is_numeric($str))
>> return $str;
>> else {
>> if(get_magic_quotes_gpc()) {
>> $str = stripslashes($str);
>> if(function_exists('mysql_real_escape_string'))
>> return mysql_real_escape_string($str);
>> elseif(function_exists('mysql_escape_string'))
>> return mysql_escape_string($str);
>> else
>> return addslashes($str);
>> } // end magic
>> } // end numeric
>>
>> } // end function
>>
>> // example usage
>> $query = "UPDATE users SET name=". cleanVar($name) .", id=". cleanVar($id) ." ";
>
>huh - you have to be kidding!!??
>no this would _not_ work, sorry
>it's not a game where you can "do it yourself" with a quick fix of
>strip/addslashes mixed with is_numeric and a call or so to magic doo-
>dah.
>There are brilliant, creative coders who are on the other end, your
>function is like making your front door entirely out of a letter box
>marked - bet you can't post stuff through here!
>
You must be a beginner coder and don't understand what magic quotes does vs mysql_escape string.
The function I provided here is legit and correct. First if a var is numeric you don't have to
worry about it being an sql injection. Next you have to determine does your version of php has
magic quotes set or not. Because if it is set, you will get double escapes \\ if you use
mysql_escape. If I determine that magic quotes is on - you first must stripslash what php added -
then apply the mysql_escape function. Also since I do not know what version of php the guy might
have, I have to determine which one to use mysql_escape or mysql_real_escape.
So the next time you decide to attack me, you better do your homework. Go look at the online manual
and you will others providing very similar techniques. Also php6 when available will be doing away
with magic quotes. The other option is to get into the php.ini and turn magic quotes off. However
for some people who use a shared hosts IPS, they can not do this. The function I wrote does exactly
what Simon asked for. He wanted to use mysql_escape to prevent injections yet didn't know why he
was getting double quotes. The function is designed to cover most common instances. If you take two
seconds to read the code you will see why.
Navigation:
[Reply to this message]
|