SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    mysql_query() general question

    Does mysql_query() permit multiple queries to be in the string passed to it, or does it only execute one query? I want to know if it's vulnerable to someone entering into a textbox an endquote and starting a second query within the string - but if mysql_query() only executes one query that won't be possible.

    Trying to work on securing a PHP/mySQL app.

  2. #2
    $postcount++; koomann's Avatar
    Join Date
    Feb 2003
    Location
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm not 100% sure, but I doubt it. If it was possible, I'm pretty sure they would mention it, or refer you to a different function.

    -JG

  3. #3
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    mysql_query() only performs 1 query.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  4. #4
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Is "SELECT * FROM Users; DROP TABLE Users" one query?

  5. #5
    $postcount++; koomann's Avatar
    Join Date
    Feb 2003
    Location
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman
    Is "SELECT * FROM Users; DROP TABLE Users" one query?
    I'd think so

  6. #6
    SitePoint Evangelist
    Join Date
    Nov 2001
    Location
    UK
    Posts
    553
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman
    Does mysql_query() permit multiple queries to be in the string passed to it, or does it only execute one query? I want to know if it's vulnerable to someone entering into a textbox an endquote and starting a second query within the string - but if mysql_query() only executes one query that won't be possible.

    Trying to work on securing a PHP/mySQL app.
    Whenever using data in a query which a user has entered, always use addslashes() on it - this will add slashes before inverted commas so that a user cannot manipulate your query with adverse effects.

    For example:

    PHP Code:
    $query mysql_query("
        INSERT INTO table SET
            colvalue = '" 
    addslashes($_REQUEST["user_entered_value"]) . "'
    "
    ); 
    Although this article revolves around MS SQL and ASP, you might want to take a quick look: http://www.sitepoint.com/article/794/3.

    As Jeff points out, mysql_query() performs only one query at a time.
    Regards, Ant.

  7. #7
    $postcount++; koomann's Avatar
    Join Date
    Feb 2003
    Location
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And when printing the data backout, can't forget to use stripslashes() -- to (surprise surprise) take out the slashes added in by addslashes().

  8. #8
    We like music. weirdbeardmt's Avatar
    Join Date
    May 2001
    Location
    Channel Islands Girth: Footlong
    Posts
    5,882
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    http://www.sitepoint.com/article/794 and http://www.sitepoint.com/article/758 will sort you out. The code above won't get executed, but only because MySQL is like that...
    I swear to drunk I'm not God.
    Matt's debating is not a crime
    Hint: Don't buy a stupid dwarf Clicky

  9. #9
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by koomann
    And when printing the data backout, can't forget to use stripslashes() -- to (surprise surprise) take out the slashes added in by addslashes().
    You should never have to do this. The slashes are only there as escape characters, and are not actually stored in the database. The only way you'd need to stripslashes() when retrieving information is if you addslashes()'ed the data twice.

    I'll now explain how this is possible: magic_quotes_gpc. This directive in PHP.ini sets whether all user information coming into PHP will automatically have slashes added. You should check to see if this is turned on and only addslashes accordingly.

    You can check it's value using ini_get('magic_quotes_gpc') or get_magic_quotes_gpc().

    Whenever using data in a query which a user has entered, always use addslashes() on it - this will add slashes before inverted commas so that a user cannot manipulate your query with adverse effects.
    This is incorrect, the only characters escaped are single-quote, double-quote, and the backslash character. Commas are left intact, that being said, addslashes() will only protect you if you put all of your values into single quotes within your query.

    Example (Assuming everything is properly escaped by this point):
    Code:
    Is safe:
    INSERT INTO tableName (columnName) VALUES ('$value');
     
    Is NOT safe, even with addslashes:
    INSERT INTO tableName (columnName) VALUES ($value);
    Even though columnName may be an int value, and therefore single quotes are not supposed to be used, it is unsecure not to use them. Note however, it is even better to make sure you cast it to an integer before using it in the query, and then you wouldn't need any quotes, because it's impossible for the variable to contain anything but a number.

    Example of casting:
    PHP Code:
    $id = (int) $_GET['id']; 
    An alternative is the intVal() and equivalent functions.

    You should get used to casting types. (Note that even though PHP performs variable type changes automatically, type casting is still important for getting the value you want, and you can perform type comparisons using is_[type]() functions, as well as comparisons using types with === and !== operators.)
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  10. #10
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the links everyone, I read them all. Perhaps you can provide some advice on the best way to do this.

    Already I've had some problems with semicolons ending statements early when users used them in text. Can semicolons be escaped to correct this or do I have to strip them out completely?

    I think I like the idea of double quoting every single quote that one of the articles said.

    Also, is it possible to loop through one of the global arrays and do the replacements in the beginning of the code instead of on each individual input? I have register globals on so I don't use the $_POST and such and I can't change this much code to do so, but if I somehow loop through $_POST would that modify all the created variables?

    Thanks for the advice

  11. #11
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    function addslashes_recursive(&$array)
    {
        foreach (
    $array as $key => $content)
        {
            if (
    is_array($content))
                
    addslashes_recursive($array[$key]);
            elseif (
    is_string($content))
                
    $array[$key] = addslashes($content);
        }
    }
     
    if (!
    ini_get('magic_quotes_gpc'))
    {
        
    addslashes_recursive($_POST);
        
    addslashes_recursive($_GET);
        
    addslashes_recursive($_COOKIE);
        
    addslashes_recursive($_REQUEST);
    }
     
    if (!
    ini_get('magic_quotes_gpc') || !ini_get('register_globals'))
        
    extract($_REQUESTEXTR_OVERWRITE''); 
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  12. #12
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Amazing Jeff

  13. #13
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    always glad to help
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  14. #14
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    extract($_REQUEST, EXTR_OVERWRITE, '');

    Is this what overwrites the variables created by register globals with whatever's now in $_REQUEST?

  15. #15
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Don't answer, stupid question. I used your function, and also wrote one like it to escape semicolons, and with those two functions in place followed by the extract, I was unable to inject multiple statements into one query through a form


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •