filter_input and mysql_real_escape_string don't mix?

PHP
1

Hello there. Consider this code:


$string = filter_input (INPUT_POST, 'string', FILTER_SANITIZE_STRING);
$query = sprintf ('SELECT * FROM table WHERE username=\\'%s\\';', 
mysql_real_escape_string ($string));
echo $query;

If our input is a string that uses a single quote character, mysql_real_escape_string seems to fail in escaping the character. I’ve tested this with other combinations and it seems that filter_input is the culprit. The string values that it returns appears to be un-escapable. Googling for any similar cases produces no similar results, so I’d just like to think that I’m doing something wrong, or is this an undisclosed bug with filter_input. I’ve checked php’s bug tracker and no similar cases are filed for filter_input.

Let’s say that we do not have access to prepared statements. How can this situation be rectified?

2

Sorry, this is not an answer - but if $string already contains a sanitized string, why do you need to sprintf() it?

Also your understanding of mysql_real_escape_string seems completely wrong.


// use filter input
$string = filter_input (INPUT_POST, 'string', FILTER_SANITIZE_STRING);
$query = "SELECT * FROM table WHERE username='$string'";, 

OR
// use real escape string
$query = "SELECT * FROM table WHERE username=
                  '" . mysql_real_escape_string ($string) . "'";, 

OR
//use sprintf
$query = sprintf ('SELECT * FROM table WHERE username=\\'%s\\', $string )', 
echo $query;

Chase the changes through your own code if you want to … by using


var_dump( $var );

on your variable after each stage.

3

After your filter_input, the ’ has become '
So there’s no more single quote to escape :slight_smile:

4

Cups, sorry, but I don’t understand.

I tried the three methods with the string

' or 1 = 1 or '1' = '

and I got this output:


string(74) "SELECT * FROM table WHERE username='' or 1 = 1 or '1' = ''"

string(62) "SELECT * FROM table WHERE username='\\' or 1 = 1 or \\'1\\' = \\''"

string(58) "SELECT * FROM table WHERE username='' or 1 = 1 or '1' = ''"

The first one seems to have non escaped single quotes, but filter_input has transformed them into ' so maybe that makes it save to use in a query (I think so, but didn’t test it).
The second one has the single quotes escaped, so it should be safe now, right?
The third one (sprintf), didn’t escape the single quotes, and they are still normal ascii 39 characters. I looks to me like you’d still have to pass the string value through mysql_real_escape_string.

Or am I missing something?

5

Are you echoing the sanitized string as HTML? By default, with FILTER_SANITIZE_STRING, the quotes will get HTML entity encoded.

6

The third one (sprintf), didn’t escape the single quotes, and they are still normal ascii 39 characters. I looks to me like you’d still have to pass the string value through mysql_real_escape_string.
yeah, you are right I think.

I just use prepared statements and escape my output back to html and sleep at night.

I just find it unnerving to see a mix-up of Filtering and Escaping together with a formatting function all bunged together and hoping that you are safe.

FIEO is the rule. If you don’t have some kind of catch at the end of your filter then why bother with it?