|
|
Posted by shimmyshack on 03/24/07 19:21
On 24 Mar, 19:54, Gleep <G...@Gleep.com> wrote:
> On 23 Mar 2007 23:20:16 -0700, "shimmyshack" <matt.fa...@gmail.com> wrote:
>
>
>
> >On 24 Mar, 03:27, Gleep <G...@Gleep.com> wrote:
> >> On Fri, 23 Mar 2007 20:09:57 GMT, "Simon Harris" <too-much-s...@makes-you-fat.com> wrote:
> >> >Hi All,
>
> >> >I am using mysql_real_escape_string() on strings before they are entered
> >> >into mySQL. This has worked Ok, but when I get the information out,
> >> >single/double quotes are preceeded with a \ (Escaped) so,
> >> >"Something in quotes" becomes \"something in quotes\"
>
> >> >Do I need to replace \" with " before I print the string to the page? Or am
> >> >I missing something? Is there an opposite to mysql_real_escape_string() that
> >> >I should call on the string when reading the data from mySQL? Or perhaps I
> >> >have totally missed the point of this function? :)
>
> >> >Any help/suggestions muchly appreciated!
>
> >> >Simon.
>
> >> >--
>
> >> I wrote up this function to prevent sql injections
> >> i didn't test it - but it should work
>
> >> function cleanVar($str) {
> >> if(is_numeric($str))
> >> return $str;
> >> else {
> >> if(get_magic_quotes_gpc()) {
> >> $str = stripslashes($str);
> >> if(function_exists('mysql_real_escape_string'))
> >> return mysql_real_escape_string($str);
> >> elseif(function_exists('mysql_escape_string'))
> >> return mysql_escape_string($str);
> >> else
> >> return addslashes($str);
> >> } // end magic
> >> } // end numeric
>
> >> } // end function
>
> >> // example usage
> >> $query = "UPDATE users SET name=". cleanVar($name) .", id=". cleanVar($id) ." ";
>
> >huh - you have to be kidding!!??
> >no this would _not_ work, sorry
> >it's not a game where you can "do it yourself" with a quick fix of
> >strip/addslashes mixed with is_numeric and a call or so to magic doo-
> >dah.
> >There are brilliant, creative coders who are on the other end, your
> >function is like making your front door entirely out of a letter box
> >marked - bet you can't post stuff through here!
>
> You must be a beginner coder and don't understand what magic quotes does vs mysql_escape string.
> The function I provided here is legit and correct. First if a var is numeric you don't have to
> worry about it being an sql injection. Next you have to determine does your version of php has
> magic quotes set or not. Because if it is set, you will get double escapes \\ if you use
> mysql_escape. If I determine that magic quotes is on - you first must stripslash what php added -
> then apply the mysql_escape function. Also since I do not know what version of php the guy might
> have, I have to determine which one to use mysql_escape or mysql_real_escape.
>
> So the next time you decide to attack me, you better do your homework. Go look at the online manual
> and you will others providing very similar techniques. Also php6 when available will be doing away
> with magic quotes. The other option is to get into the php.ini and turn magic quotes off. However
> for some people who use a shared hosts IPS, they can not do this. The function I wrote does exactly
> what Simon asked for. He wanted to use mysql_escape to prevent injections yet didn't know why he
> was getting double quotes. The function is designed to cover most common instances. If you take two
> seconds to read the code you will see why.
all you have done is use an available function for each version, which
have of course been superceeded by the later versions for good reason!
mysql_escape_string is deprecated for good reason
addslashes is trivial to subvert, you can do SQL injection without
using a quote for instance!
is_numeric is also no protection
what you should have done is create a function called
mysql_real_escape_string if it does not exist and provide the
functionality lacking in those older versions, instead of using
whatever ineffective protection is afforded in that particular
version.
good protection comes from using regular expressions, bounds checking,
proper type casting, and not through the use of such functions as
addslashes!! FOr instance the function is_numeric is not "is this an
integer" so what is it doing as the only line of defence before using
the return directly in the query?
I think it you who need to go read up on this subject, while I admit I
do think of myself as an average programmer, it seems I have done more
readin on this particular subject than you, rather than waste your
time criticising me, why not provide me with a reason why what I said
is wrong!
Navigation:
[Reply to this message]
|