Preventing DB crahses with inserts.

Sims wrote:

Hi,

Is there a function to insert a string safely in the DB?
To ensure that nothing the user can pass will cause an errors or unwanted
behaviour/hacking?

The html function(s) only ensure that there are not special characters.
Would replacing the words WHERE/SELECT/UPDATE/DELETE with some special words
like {W}HERE/{S}ELECT etc be safer?

mysql_escape_string($rawstring)

> >

The html function(s) only ensure that there are not special characters.
Would replacing the words WHERE/SELECT/UPDATE/DELETE with some special words like {W}HERE/{S}ELECT etc be safer?

mysql_escape_string($rawstring)

But will that guarantee that the query can never be hacked?
Is that the common way of solving the problem?

Sims

"Sims" <si*********@hotmail.com> schrieb:

mysql_escape_string($rawstring)

But will that guarantee that the query can never be hacked?
Is that the common way of solving the problem?

If you use MySQL: Yes.

Regards,
Matthias

Hi !

On Wed, 25 Feb 2004 20:36:40 +0200, "Sims" <si*********@hotmail.com>
wrote:

>
> The html function(s) only ensure that there are not special characters.
> Would replacing the words WHERE/SELECT/UPDATE/DELETE with some specialwords > like {W}HERE/{S}ELECT etc be safer?

mysql_escape_string($rawstring)

But will that guarantee that the query can never be hacked?
Is that the common way of solving the problem?

You have to apply it to each value that you insert. That ensures that
noone can close the single quotes early and run an extra command.

Yes, it is common

Jochen
--
Jochen Daum - Cabletalk Group Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/

mysql_escape_string($rawstring)

But will that guarantee that the query can never be hacked?
Is that the common way of solving the problem?

If you use MySQL: Yes.

What do you mean? it is called 'MYSQL_escape_string(...)' so you must be
using MySQL.
Or are you saying that adding an escape string is only safe with MySQL.

Sims

> You have to apply it to each value that you insert. That ensures that

noone can close the single quotes early and run an extra command.
Should i apply the same rule to Numbers? Or should I convert the string to
numbers b4 i add it to the querry?

So if i have a table like

TABLE_TEST
A = TEXT
B = INT(11)

should i do...

UPDATE TABLE_TEST SET A = '".mysql_escape_string($givenA)."',
B='".mysql_escape_string($givenB)."'";

or

UPDATE TABLE_TEST SET A = '".mysql_escape_string($givenA)."',
B='".intval($givenB)."'";

Yes, it is common

Thanks.

Regards,

Sims

"Sims" <si*********@hotmail.com> schrieb:

mysql_escape_string($rawstring)

But will that guarantee that the query can never be hacked?
Is that the common way of solving the problem?
If you use MySQL: Yes.

What do you mean? it is called 'MYSQL_escape_string(...)' so you must be
using MySQL.

Yes.
Or are you saying that adding an escape string is only safe with MySQL.

I think it should be safe with other databases, but I don't know every
existing RDBMS around, so I don't know if this will work everywhere.

Regards,
Matthias

Hi!

On Thu, 26 Feb 2004 10:59:19 +0200, "Sims" <si*********@hotmail.com>
wrote:

You have to apply it to each value that you insert. That ensures that
noone can close the single quotes early and run an extra command.

Should i apply the same rule to Numbers? Or should I convert the string to
numbers b4 i add it to the querry?

So if i have a table like

TABLE_TEST
A = TEXT
B = INT(11)

should i do...

UPDATE TABLE_TEST SET A = '".mysql_escape_string($givenA)."',
B='".mysql_escape_string($givenB)."'";

or

UPDATE TABLE_TEST SET A = '".mysql_escape_string($givenA)."',
B='".intval($givenB)."'";

I prefer latter. Its also closer to the SQL standard I believe.

HTH, Jochen
--
Jochen Daum - Cabletalk Group Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/

Hi!

On Thu, 26 Feb 2004 18:07:40 +0100, Matthias Esken
<mu******************@usenetverwaltung.org> wrote:

"Sims" <si*********@hotmail.com> schrieb:

> mysql_escape_string($rawstring)

But will that guarantee that the query can never be hacked?
Is that the common way of solving the problem?

If you use MySQL: Yes.
What do you mean? it is called 'MYSQL_escape_string(...)' so you must be
using MySQL.

Yes.

Or are you saying that adding an escape string is only safe with MySQL.

I think it should be safe with other databases, but I don't know every
existing RDBMS around, so I don't know if this will work everywhere.

Informix and MSSQL uses '' to esacpe a single quote. So it is neither
safe, nor correct there.

HTH, Jochen


Regards,
Matthias

--
Jochen Daum - Cabletalk Group Ltd.
PHP DB Edit Toolkit -- PHP scripts for building
database editing interfaces.
http://sourceforge.net/projects/phpdbedittk/

On Thu, 26 Feb 2004 18:07:40 +0100, Matthias Esken
<mu******************@usenetverwaltung.org> wrote:

> mysql_escape_string($rawstring)

But will that guarantee that the query can never be hacked?
Is that the common way of solving the problem?

If you use MySQL: Yes.

What do you mean? it is called 'MYSQL_escape_string(...)' so you must be
using MySQL.

Yes.

Or are you saying that adding an escape string is only safe with MySQL.

I think it should be safe with other databases, but I don't know every
existing RDBMS around, so I don't know if this will work everywhere.

Sensible databases support bind variables/placeholders, separating data from
the SQL, and so avoiding the issue entirely.

--
Andy Hassall <an**@andyh.co.uk> / Space: disk usage analysis tool
<http://www.andyh.co.uk> / <http://www.andyhsoftware.co.uk/space>