Posted by Gleep on 03/25/07 00:54

On 24 Mar 2007 12:21:30 -0700, "shimmyshack" <matt.farey@gmail.com> wrote:

>On 24 Mar, 19:54, Gleep <G...@Gleep.com> wrote:
>> On 23 Mar 2007 23:20:16 -0700, "shimmyshack" <matt.fa...@gmail.com> wrote:
>>
>>
>>
>> >On 24 Mar, 03:27, Gleep <G...@Gleep.com> wrote:
>> >> On Fri, 23 Mar 2007 20:09:57 GMT, "Simon Harris" <too-much-s...@makes-you-fat.com> wrote:
>> >> >Hi All,
>>
>> >> >I am using mysql_real_escape_string() on strings before they are entered
>> >> >into mySQL. This has worked Ok, but when I get the information out,
>> >> >single/double quotes are preceeded with a \ (Escaped) so,
>> >> >"Something in quotes" becomes \"something in quotes\"
>>
>> >> >Do I need to replace \" with " before I print the string to the page? Or am
>> >> >I missing something? Is there an opposite to mysql_real_escape_string() that
>> >> >I should call on the string when reading the data from mySQL? Or perhaps I
>> >> >have totally missed the point of this function? :)
>>
>> >> >Any help/suggestions muchly appreciated!
>>
>> >> >Simon.
>>
>> >> >--
>>
>> >> I wrote up this function to prevent sql injections
>> >> i didn't test it - but it should work
>>
>> >> function cleanVar($str) {
>> >> if(is_numeric($str))
>> >> return $str;
>> >> else {
>> >> if(get_magic_quotes_gpc()) {
>> >> $str = stripslashes($str);
>> >> if(function_exists('mysql_real_escape_string'))
>> >> return mysql_real_escape_string($str);
>> >> elseif(function_exists('mysql_escape_string'))
>> >> return mysql_escape_string($str);
>> >> else
>> >> return addslashes($str);
>> >> } // end magic
>> >> } // end numeric
>>
>> >> } // end function
>>
>> >> // example usage
>> >> $query = "UPDATE users SET name=". cleanVar($name) .", id=". cleanVar($id) ." ";
>>
>> >huh - you have to be kidding!!??
>> >no this would _not_ work, sorry
>> >it's not a game where you can "do it yourself" with a quick fix of
>> >strip/addslashes mixed with is_numeric and a call or so to magic doo-
>> >dah.
>> >There are brilliant, creative coders who are on the other end, your
>> >function is like making your front door entirely out of a letter box
>> >marked - bet you can't post stuff through here!
>>
>> You must be a beginner coder and don't understand what magic quotes does vs mysql_escape string.
>> The function I provided here is legit and correct. First if a var is numeric you don't have to
>> worry about it being an sql injection. Next you have to determine does your version of php has
>> magic quotes set or not. Because if it is set, you will get double escapes \\ if you use
>> mysql_escape. If I determine that magic quotes is on - you first must stripslash what php added -
>> then apply the mysql_escape function. Also since I do not know what version of php the guy might
>> have, I have to determine which one to use mysql_escape or mysql_real_escape.
>>
>> So the next time you decide to attack me, you better do your homework. Go look at the online manual
>> and you will others providing very similar techniques. Also php6 when available will be doing away
>> with magic quotes. The other option is to get into the php.ini and turn magic quotes off. However
>> for some people who use a shared hosts IPS, they can not do this. The function I wrote does exactly
>> what Simon asked for. He wanted to use mysql_escape to prevent injections yet didn't know why he
>> was getting double quotes. The function is designed to cover most common instances. If you take two
>> seconds to read the code you will see why.
>
>
>all you have done is use an available function for each version, which
>have of course been superceeded by the later versions for good reason!
>mysql_escape_string is deprecated for good reason
>addslashes is trivial to subvert, you can do SQL injection without
>using a quote for instance!
>is_numeric is also no protection
>
>what you should have done is create a function called
>mysql_real_escape_string if it does not exist and provide the
>functionality lacking in those older versions, instead of using
>whatever ineffective protection is afforded in that particular
>version.
>
>good protection comes from using regular expressions, bounds checking,
>proper type casting, and not through the use of such functions as
>addslashes!! FOr instance the function is_numeric is not "is this an
>integer" so what is it doing as the only line of defence before using
>the return directly in the query?
>
>I think it you who need to go read up on this subject, while I admit I
>do think of myself as an average programmer, it seems I have done more
>readin on this particular subject than you, rather than waste your
>time criticising me, why not provide me with a reason why what I said
>is wrong!
>


Shimmy is just being a butt-plug without really providing anything useful. Read up.
http://www.php.net/manual/en/function.get-magic-quotes-gpc.php
http://www.php.net/manual/en/function.mysql-real-escape-string.php
One will see how I derived this function and what it's used for.
"..good protection comes from using regular expressions, bounds checking, proper type casting,.."
Yes I do agree with that line, however not all programmers take the time to write validations nor do
they know how to use preg_match, preg_replace, replacing characters that are not ascii or out of
bounds ect.... Simon, needed to know why he was getting double escapes. He mostly likely was not
aware using mysql_real_escape_string and having magic quotes on doubles escaped values. This is my
last comment, I need to move on and do other things than bicker with Shimmy

[Back to original message]