470,833 Members | 1,309 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 470,833 developers. It's quick & easy.

I don't need mysql_real_escape_string?

My raw POST seems to return already escaped...so if
the php is set to do it for me, than I shouldn't
do anything more? [for that particular aspect, anyway]?

--thelma
Jun 2 '08 #1
16 3021
On Sat, 17 May 2008 01:31:27 +0200, <th****@uwm.eduwrote:
My raw POST seems to return already escaped...so if
the php is set to do it for me, than I shouldn't
do anything more? [for that particular aspect, anyway]?
magic_quotes_gpc is on on your host, and that feature should not be
trusted to escape data for to prevent mysql injection as it amongst others
can choke on multibyte characters missing (or even creating...) quotes.

This feature is one of PHP's mistakes, and as they state
(<http://nl2.php.net/magic_quotes>):
"Warning: This feature has been DEPRECATED and REMOVED as of PHP 6.0.0.
Relying on this feature is highly discouraged."
And (<http://nl2.php.net/manual/en/security.magicquotes.why.php>):
"..Although SQL Injection is still possible with magic quotes on, the risk
is reduced."

Try to turn it off, either by server/php.ini config or .htaccess files if
possible. If not, stripslashes() from the string is magic_quotes_gpc()
returns true, and hopefully enjoy the real data received. Use the real
function meant for this purpose, which other then magic_quotes CAN
communicate with the database and know what kind of escaping is needed.
--
Rik Wasmus
....spamrun finished
Jun 2 '08 #2
what you are noticing is get_magic_quotes_gpc (GET,POST & COOKIE)

This is a setting turned on and off in the php.ini file.

Just because this is set to on in your instance does not mean that it
will be so on another server.

Also magic quotes gpc does not stop other problems that may occur as a
result of dodgy user input.

You should always escape user input properly. Also, i'm pretty sure
(but not 100%) that magic quotes are deprecated as of php6.
Jun 2 '08 #3
ha ha, looks like I was beet to the mark :-)
Jun 2 '08 #4
If not, stripslashes() from the string is magic_quotes_gpc()
returns true, and hopefully enjoy the real data received.

why is stripslashes needed? I thought mysql_real_escape_string was all
that was needed to prevent sql injection. am I wrong?
Jun 2 '08 #5
On Sat, 17 May 2008 01:57:05 +0200, sebastian <se************@gmail.com>
wrote:
>If not, stripslashes() from the string is magic_quotes_gpc()
This should read: run stripslashes() on you variables if the return of
magic_qoutes_gpc() is true.
returns true, and hopefully enjoy the real data received.

why is stripslashes needed? I thought mysql_real_escape_string was all
that was needed to prevent sql injection. am I wrong?
Because magic_quotes_gpc ALTERS the data you receive. If you can't turn it
off, stripslashes is just damage control trying to undo the nasty little
work it did on your variables. If your name was O'Neill, would you like it
be constantly called O\'Neill?
--
Rik Wasmus
....spamrun finished
Jun 2 '08 #6
sebastian wrote:
why is stripslashes needed? I thought mysql_real_escape_string was all
that was needed to prevent sql injection. am I wrong?
stripslashes is a generic escape function, whereas mysql_real_escape_string
is tailored to mysql functions (e.g. they take into account the kind of
text encoding you're using in your database.

My advice is to use variable binding when possible; if not, use the escape
function tailored for the DB backend in use.

--
----------------------------------
Iván Sánchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-

No perturbo. Disturbó ya!
Jun 2 '08 #7
On Sat, 17 May 2008 02:13:45 +0200, Iván Sánchez Ortega
<ivansanchez-alg@rroba-escomposlinux.-.punto.-.orgwrote:
sebastian wrote:
>why is stripslashes needed? I thought mysql_real_escape_string was all
that was needed to prevent sql injection. am I wrong?

stripslashes is a generic escape function,
UNescape :P
My advice is to use variable binding when possible; if not, use the
escape
function tailored for the DB backend in use.
Real prepared statements win every time indeed.
--
Rik Wasmus
....spamrun finished
Jun 2 '08 #8
On Sat, 17 May 2008 02:13:45 +0200, Iván Sánchez Ortega wrote:
sebastian wrote:
>why is stripslashes needed? I thought mysql_real_escape_string was
all that was needed to prevent sql injection. am I wrong?

stripslashes is a generic escape function, whereas
mysql_real_escape_string is tailored to mysql functions (e.g. they
take into account the kind of text encoding you're using in your
database.

My advice is to use variable binding when possible; if not, use the
escape function tailored for the DB backend in use.
It's also version-aware, because it makes the mysql server do the
work. So if the MySQL server ever adds a new quoting character, or
otherwise makes something special, the mysql_real_escape_string will
*automatically* do the right thing, even if PHP isn't upgraded at the
same time.

--
The trouble with things that extend your lifespan is that they happen at
wrong end. I'd hate to be wearing Depends at 85 and thinking "I gave up
booze and cigarettes for three more years of this."
Jun 2 '08 #9
Rik Wasmus <lu************@hotmail.comwrote:
: On Sat, 17 May 2008 01:31:27 +0200, <th****@uwm.eduwrote:
: My raw POST seems to return already escaped...so if
: the php is set to do it for me, than I shouldn't
: do anything more? [for that particular aspect, anyway]?

: magic_quotes_gpc is on on your host, and that feature should not be
: trusted to escape data for to prevent mysql injection as it amongst others
: can choke on multibyte characters missing (or even creating...) quotes.

<snip>
: Try to turn it off, either by server/php.ini config or .htaccess files if
: possible. If not, stripslashes() from the string is magic_quotes_gpc()
: returns true, and hopefully enjoy the real data received. Use the real
: function meant for this purpose, which other then magic_quotes CAN
: communicate with the database and know what kind of escaping is needed.

Thanks to all: I can't control the php implementation [I can at
home, but it has to run on the other one], so I'm using stripslashes
before applying mysql_real_escape_string.

Then I immediately ran into the special characters problem -- there
were some quotes in the incoming text. It took me a long time to
figure out that the problem wasn't in the data base: perhaps the two
traps should be discussed at the same time.

--thelma
Jun 2 '08 #10
th****@uwm.edu wrote:
Rik Wasmus <lu************@hotmail.comwrote:
: On Sat, 17 May 2008 01:31:27 +0200, <th****@uwm.eduwrote:
: My raw POST seems to return already escaped...so if
: the php is set to do it for me, than I shouldn't
: do anything more? [for that particular aspect, anyway]?

: magic_quotes_gpc is on on your host, and that feature should not be
: trusted to escape data for to prevent mysql injection as it amongst others
: can choke on multibyte characters missing (or even creating...) quotes.

<snip>
: Try to turn it off, either by server/php.ini config or .htaccess files if
: possible. If not, stripslashes() from the string is magic_quotes_gpc()
: returns true, and hopefully enjoy the real data received. Use the real
: function meant for this purpose, which other then magic_quotes CAN
: communicate with the database and know what kind of escaping is needed.

Thanks to all: I can't control the php implementation [I can at
home, but it has to run on the other one], so I'm using stripslashes
before applying mysql_real_escape_string.

Then I immediately ran into the special characters problem -- there
were some quotes in the incoming text. It took me a long time to
figure out that the problem wasn't in the data base: perhaps the two
traps should be discussed at the same time.

--thelma
mysql_real_escape_string() handles the quite characters automatically.
It should be all you need.

And if your hosting company is still running with magic_quotes_gpc() on,
I'd suggest changing hosting companies. There are too many out there
who won't make your life miserable.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jun 2 '08 #11
Jerry Stuckle <js*******@attglobal.netwrote:

: mysql_real_escape_string() handles the quite characters automatically.
: It should be all you need.

It didn't work for me.

: And if your hosting company is still running with magic_quotes_gpc() on,
: I'd suggest changing hosting companies. There are too many out there
: who won't make your life miserable.

I have no control over that either: I'm just doing some
volunteer work for a local organization.

--thelma
Jun 2 '08 #12
On Sun, 18 May 2008 02:16:41 +0200, <th****@uwm.eduwrote:
Jerry Stuckle <js*******@attglobal.netwrote:

: mysql_real_escape_string() handles the quite characters automatically.
: It should be all you need.

It didn't work for me.
It does. Show us the exact code you were using that you claim failed.
--
Rik Wasmus
....spamrun finished
Jun 2 '08 #13
Rik Wasmus <lu************@hotmail.comwrote:
: On Sun, 18 May 2008 02:16:41 +0200, <th****@uwm.eduwrote:

: Jerry Stuckle <js*******@attglobal.netwrote:
: >
: : mysql_real_escape_string() handles the quite characters automatically.
: : It should be all you need.
: >
: It didn't work for me.

: It does. Show us the exact code you were using that you claim failed.

I see that I have not managed to explain the problem that I had.
The string with the quotes in it was correctly stored into the
database.

The problem occurred when I read it back out of the
database to display it on a form.
I read it successfully from the database and only lost it
when I tried to write the HTML for the form: this is of course a
problem that is independent of the any database considerations, but I
think that a lot of us can get our first run in with it in just the
way I did, and *think* that it involves the database reads and
writes...so I still think that it's useful to discuss them
together.
--thelma


Jun 2 '08 #14
On Sun, 18 May 2008 03:20:13 +0200, <th****@uwm.eduwrote:
Rik Wasmus <lu************@hotmail.comwrote:
: On Sun, 18 May 2008 02:16:41 +0200, <th****@uwm.eduwrote:

: Jerry Stuckle <js*******@attglobal.netwrote:
: >
: : mysql_real_escape_string() handles the quite characters
automatically.
: : It should be all you need.
: >
: It didn't work for me.

: It does. Show us the exact code you were using that you claim failed.

I see that I have not managed to explain the problem that I had.
The string with the quotes in it was correctly stored into the
database.

The problem occurred when I read it back out of the
database to display it on a form.
I read it successfully from the database and only lost it
when I tried to write the HTML for the form: this is of course a
problem that is independent of the any database considerations,
but I
think that a lot of us can get our first run in with it in just the
way I did, and *think* that it involves the database reads and
writes...so I still think that it's useful to discuss them
together.
Nothing to do with database read / writes, just simply html displaying
principles. Lot's of stugg in the manual(s)...
--
Rik Wasmus
....spamrun finished
Jun 2 '08 #15
th****@uwm.edu wrote:
Rik Wasmus <lu************@hotmail.comwrote:
: On Sat, 17 May 2008 01:31:27 +0200, <th****@uwm.eduwrote:
: My raw POST seems to return already escaped...so if
: the php is set to do it for me, than I shouldn't
: do anything more? [for that particular aspect, anyway]?

: magic_quotes_gpc is on on your host, and that feature should not be
: trusted to escape data for to prevent mysql injection as it amongst others
: can choke on multibyte characters missing (or even creating...) quotes.

<snip>
: Try to turn it off, either by server/php.ini config or .htaccess files if
: possible. If not, stripslashes() from the string is magic_quotes_gpc()
: returns true, and hopefully enjoy the real data received. Use the real
: function meant for this purpose, which other then magic_quotes CAN
: communicate with the database and know what kind of escaping is needed.

Thanks to all: I can't control the php implementation [I can at
home, but it has to run on the other one], so I'm using stripslashes
before applying mysql_real_escape_string.
Someone correct me if I'm wrong, but if you are stuck with
magic_quotes_gpc being ON for now, I think you should write your own
function - something like:

function unslash($text)
{
if (get_magic_quotes_gpc())
return(stripslashes($text));
else
return($text);
}

That will keep your code portable.

$var = mysql_real_escape_string(unslash($_POST['var']))

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Nothing he's got he really needs
Twenty first century schizoid man.
***********************************

Jun 2 '08 #16
th****@uwm.edu wrote:
Jerry Stuckle <js*******@attglobal.netwrote:

: mysql_real_escape_string() handles the quite characters automatically.
: It should be all you need.

It didn't work for me.

: And if your hosting company is still running with magic_quotes_gpc() on,
: I'd suggest changing hosting companies. There are too many out there
: who won't make your life miserable.

I have no control over that either: I'm just doing some
volunteer work for a local organization.

--thelma
Then you need to talk to the head of that organization. Their host is
doing them NO favors.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Jun 2 '08 #17

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

10 posts views Thread by Luke Meyers | last post: by
7 posts views Thread by Grant Robertson | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.