SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Addict
    Join Date
    Aug 2007
    Location
    St. Louis, MO.
    Posts
    206
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    mysql_real_escape_string question

    I have been trying to wrap my head around this. I have done lots of google searches and I'm sure the question has been answered on most of the examples I've seen but I need to clear it up with my own question.

    Do you need to use mysql_real_escape string everytime a query is called or only when the user can enter a variable.

    Simple example

    Code PHP:
     
    $result = @mysql_query("SELECT * FROM blog ORDER BY date DESC");
     
     
        	if (!$result)
    		{
    			exit('<p>There are no blogs posted at this time. '.mysql_error(). '</p>');
    		}
     
    	//fetching the titles of posted blogs
    	while ($row = mysql_fetch_array($result))
    	{	
    		$title = $row['title'];
    		$blogid = $row['blogid'];
    		{
    		echo "<p><a href='blogArticle.php?blogid=$blogid'>$title</a></p>";
    		}
    	}

    Since there is no post or get data here do I still need to use mysql_real_escape_string? Thanks so much for the help I was determined to answer this myself but think I ended up making it worse. And yes I did look at The manual.

  2. #2
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by binarysys View Post

    Do you need to use mysql_real_escape string everytime a query is called or only when the user can enter a variable.
    The purpose of mysql_escape_string is to prepare data for mysql queries. Therefore you have to use it on all data that is involved into query, no matter where this data is coming from: user input, calculated values and even your own constants.

    In the modern php versions mysql_escape_string is coming out of favour, consider using mysqli or PDO prepared statements instead.

  3. #3
    SitePoint Enthusiast
    Join Date
    Jul 2006
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For the sake of being cautious I use mysql_real_escape on every database query. In fact I wrote a function that I keep in my database functions library that I import on every project I work on. Every SQL query is put through my escaper function. It may not be strictly necessary, but it's certainly better than accidentally leaving a gaping hole through which script kiddies can drive an SQL injection truck.
    Radioactive chicken gave me gay.
    Neonbrainiac

  4. #4
    SitePoint Evangelist catweasel's Avatar
    Join Date
    Apr 2007
    Location
    Goldfields, VIC, Australia
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I also agree that you'd be better off using mysqli prepared statements or PDO prepared statements but if you're stuck with using mysql_real_escape_string remember it only escapes data, it doesn't type cast data.. so, for example, in situations where you're expecting data to be an integer, cast it as int instead of using mysql_real_escape_string.

    $i=(int)$_GET['i'];

  5. #5
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    ^ very good point, I use that widely myself.

    However, that wouldn't be that much of a requirement if you validated data properly. If you need an integer, check if it is, if it's not prompt an error. That's the way I see it done ideally. But then, the world ain't perfect.
    Saul

  6. #6
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,161
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree. The way you determine if a value should have been an integer is not to have your query fail (or fail to store a particular value), but to have a friendly error message tell you or any other user so.

  7. #7
    SitePoint Evangelist catweasel's Avatar
    Join Date
    Apr 2007
    Location
    Goldfields, VIC, Australia
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I wasn't actually thinking of cases of user inputted data.. where you would always have a comprehensive validation and friendly error reporting process.
    I was thinking more of cases where data is not inputted by users but could be manipulated by users.. such as the page id in a pagination script .. in such a case you wouldn't really have a large validation process as though you were checking data supplied by the user.. you simply cast it as int and proceed with the query. If a malicious user has altered the page id tough bikkies to them.

  8. #8
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Well, there's not much of a difference. But as I said, it's more of a theory thing. Personally I don't bother and do exactly as you say.
    Saul

  9. #9
    SitePoint Addict
    Join Date
    Aug 2007
    Location
    St. Louis, MO.
    Posts
    206
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you so much. This was one of those instances where I have read the same stuff 40 times and for some reason it just clicked after reading your replies. Especially the integer part that was messing with my head in some of the cleaning functions I have seen but that cleared it up. Thanks again.

  10. #10
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, to be honest, that "integer" discussion has nothing to do with database escaping. You need to realize that validation and escaping, though often confused, are very distinct tasks and usually take place at the different stages of request processing.

  11. #11
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    tough bikkies ??

    Does that mean you break their breadcrumb trail?

  12. #12
    SitePoint Evangelist catweasel's Avatar
    Join Date
    Apr 2007
    Location
    Goldfields, VIC, Australia
    Posts
    518
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by stereofrog View Post
    Well, to be honest, that "integer" discussion has nothing to do with database escaping. You need to realize that validation and escaping, though often confused, are very distinct tasks and usually take place at the different stages of request processing.
    It is related in the context in which we're discussing it. Validation is something you do to ensure quality of data.. such as correct postcodes/zipcodes, a country name that actually exists etc etc. Escaping/type casting is something you do to ensure security. Mysql themselves give this example -

    Code:
    $i=mysql_real_escape_string($_GET['i']);
    $query = "SELECT * FROM sometable WHERE id=$i";
    ....
    User input -
    Code:
    4;delete from users
    The query is perfectly legal.. the malicious input won't be caught since mres only escapes, it doesn't type cast. Many people don't use quotations around integer types in their queries, in fact I've seen many on forums actually say it's preferable to not use quotations around numerical data in queries.

    tough bikkies ??

    Does that mean you break their breadcrumb trail?
    eh.. yeah or we could take out a 'k' and make it really scary.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •