|
|
Posted by shimmyshack on 03/25/07 02:01
On 25 Mar, 00:54, Gleep <G...@Gleep.com> wrote:
> On 24 Mar 2007 12:21:30 -0700, "shimmyshack" <matt.fa...@gmail.com> wrote:
>
>
>
> >On 24 Mar, 19:54, Gleep <G...@Gleep.com> wrote:
> >> On 23 Mar 2007 23:20:16 -0700, "shimmyshack" <matt.fa...@gmail.com> wrote:
>
> >> >On 24 Mar, 03:27, Gleep <G...@Gleep.com> wrote:
> >> >> On Fri, 23 Mar 2007 20:09:57 GMT, "Simon Harris" <too-much-s...@makes-you-fat.com> wrote:
> >> >> >Hi All,
>
> >> >> >I am using mysql_real_escape_string() on strings before they are entered
> >> >> >into mySQL. This has worked Ok, but when I get the information out,
> >> >> >single/double quotes are preceeded with a \ (Escaped) so,
> >> >> >"Something in quotes" becomes \"something in quotes\"
>
> >> >> >Do I need to replace \" with " before I print the string to the page? Or am
> >> >> >I missing something? Is there an opposite to mysql_real_escape_string() that
> >> >> >I should call on the string when reading the data from mySQL? Or perhaps I
> >> >> >have totally missed the point of this function? :)
>
> >> >> >Any help/suggestions muchly appreciated!
>
> >> >> >Simon.
>
> >> >> >--
>
> >> >> I wrote up this function to prevent sql injections
> >> >> i didn't test it - but it should work
>
> >> >> function cleanVar($str) {
> >> >> if(is_numeric($str))
> >> >> return $str;
> >> >> else {
> >> >> if(get_magic_quotes_gpc()) {
> >> >> $str = stripslashes($str);
> >> >> if(function_exists('mysql_real_escape_string'))
> >> >> return mysql_real_escape_string($str);
> >> >> elseif(function_exists('mysql_escape_string'))
> >> >> return mysql_escape_string($str);
> >> >> else
> >> >> return addslashes($str);
> >> >> } // end magic
> >> >> } // end numeric
>
> >> >> } // end function
>
> >> >> // example usage
> >> >> $query = "UPDATE users SET name=". cleanVar($name) .", id=". cleanVar($id) ." ";
>
> >> >huh - you have to be kidding!!??
> >> >no this would _not_ work, sorry
> >> >it's not a game where you can "do it yourself" with a quick fix of
> >> >strip/addslashes mixed with is_numeric and a call or so to magic doo-
> >> >dah.
> >> >There are brilliant, creative coders who are on the other end, your
> >> >function is like making your front door entirely out of a letter box
> >> >marked - bet you can't post stuff through here!
>
> >> You must be a beginner coder and don't understand what magic quotes does vs mysql_escape string.
> >> The function I provided here is legit and correct. First if a var is numeric you don't have to
> >> worry about it being an sql injection. Next you have to determine does your version of php has
> >> magic quotes set or not. Because if it is set, you will get double escapes \\ if you use
> >> mysql_escape. If I determine that magic quotes is on - you first must stripslash what php added -
> >> then apply the mysql_escape function. Also since I do not know what version of php the guy might
> >> have, I have to determine which one to use mysql_escape or mysql_real_escape.
>
> >> So the next time you decide to attack me, you better do your homework. Go look at the online manual
> >> and you will others providing very similar techniques. Also php6 when available will be doing away
> >> with magic quotes. The other option is to get into the php.ini and turn magic quotes off. However
> >> for some people who use a shared hosts IPS, they can not do this. The function I wrote does exactly
> >> what Simon asked for. He wanted to use mysql_escape to prevent injections yet didn't know why he
> >> was getting double quotes. The function is designed to cover most common instances. If you take two
> >> seconds to read the code you will see why.
>
> >all you have done is use an available function for each version, which
> >have of course been superceeded by the later versions for good reason!
> >mysql_escape_string is deprecated for good reason
> >addslashes is trivial to subvert, you can do SQL injection without
> >using a quote for instance!
> >is_numeric is also no protection
>
> >what you should have done is create a function called
> >mysql_real_escape_string if it does not exist and provide the
> >functionality lacking in those older versions, instead of using
> >whatever ineffective protection is afforded in that particular
> >version.
>
> >good protection comes from using regular expressions, bounds checking,
> >proper type casting, and not through the use of such functions as
> >addslashes!! FOr instance the function is_numeric is not "is this an
> >integer" so what is it doing as the only line of defence before using
> >the return directly in the query?
>
> >I think it you who need to go read up on this subject, while I admit I
> >do think of myself as an average programmer, it seems I have done more
> >readin on this particular subject than you, rather than waste your
> >time criticising me, why not provide me with a reason why what I said
> >is wrong!
>
> Shimmy is just being a butt-plug without really providing anything useful.
advice is useful - if you can take it; and as the title of the post is
"correct use of mysql_real_escape string()" I think I am entitled to
promote it's use, of course we can all visit the manual for examples
of it's use on a server with magic quotes on at runtime. It's not just
php6 BTW, but also php5 which has this set to off which is nice.
In this case the advice is: Try not to write wrappers which fall back
to compromised techniques simply based on php version, instead
fallback to an implementation of the newest version's functionality -
in this case recreate mysql_real_escape_string()
mysql_real_escpae_string() isn't that different from addslashes after
all
An illustration of this approach is file_put_contents. Before the
switch from 4 to 5, early adopters loved the simplicty and familiarity
of file_put_contents (complented file_get_contents) so they simply
created their own version wrapping fopen fwrite etc... enabling them
to future proof their code.
In this case the aim is to ensure security when using the code on an
old install, or on a server where mysql_real_scape_string is either
not available or turned off.
BTW have you (the OP) considered using php5.1+ with PDO - a nice
friendly OO interface, allowing simple code with great abstration. You
get to use secure code without implementing every nut and bolt
yourself; there are a host of other benefits too.
Navigation:
[Reply to this message]
|