FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Data sanitation for mysql queries.
Show: Today's Messages :: Unread Messages :: Show Polls :: Message Navigator
| Subscribe to topic | Bookmark topic 
Switch to threaded view of this topic Create a new topic Submit Reply
Data sanitation for mysql queries. [message #179660] Fri, 16 November 2012 13:10 Go to next message
cph is currently offline  cph
Messages: 10
Registered: September 2012
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
Re: Data sanitation for mysql queries. [message #179661 is a reply to message #179660] Fri, 16 November 2012 13:49 Go to previous messageGo to next message
Daniel Pitts is currently offline  Daniel Pitts
Messages: 68
Registered: May 2012
Karma: 0
Member
add to buddy list
ignore all messages by this user
On 11/16/12 10:10 AM, cph wrote:
> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>

Short answer is no.

Prepared statements help a lot.

Using the correct functions help too:
<http://www.php.net/manual/en/mysqli.real-escape-string.php>
Re: Data sanitation for mysql queries. [message #179662 is a reply to message #179660] Fri, 16 November 2012 13:56 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 11/16/2012 1:10 PM, cph wrote:
> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>

Not at all. You need to validate the data, i.e. integer values are
actually integers, dates are valid, etc. You can use bind parameters as
Daniel indicated, or you can use mysql_real_escape_string() on strings.
Numeric values, dates, etc. do not need further processing if they have
been properly validated. But they need to be validated even if you're
using bind parameters.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Data sanitation for mysql queries. [message #179663 is a reply to message #179662] Fri, 16 November 2012 14:36 Go to previous messageGo to next message
cph is currently offline  cph
Messages: 10
Registered: September 2012
Karma: 0
Junior Member
add to buddy list
ignore all messages by this user
I am not asking about validation that is a whole other topic. This is specifically about sanitation. The problem with real_escape_string is from what I have read its not good enough to prevent sql injections.

On Friday, November 16, 2012 10:56:08 AM UTC-8, Jerry Stuckle wrote:
> On 11/16/2012 1:10 PM, cph wrote:
>
>> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>
>>
>
>
>
> Not at all. You need to validate the data, i.e. integer values are
>
> actually integers, dates are valid, etc. You can use bind parameters as
>
> Daniel indicated, or you can use mysql_real_escape_string() on strings.
>
> Numeric values, dates, etc. do not need further processing if they have
>
> been properly validated. But they need to be validated even if you're
>
> using bind parameters.
>
>
>
> --
>
> ==================
>
> Remove the "x" from my email address
>
> Jerry Stuckle
>
> JDS Computer Training Corp.
>
> jstucklex(at)attglobal(dot)net
>
> ==================
Re: Data sanitation for mysql queries. [message #179664 is a reply to message #179663] Fri, 16 November 2012 16:46 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On 11/16/2012 2:36 PM, cph wrote:
> On Friday, November 16, 2012 10:56:08 AM UTC-8, Jerry Stuckle wrote:
>> On 11/16/2012 1:10 PM, cph wrote:
>>
>>> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>>
>>>
>>
>>
>>
>> Not at all. You need to validate the data, i.e. integer values are
>>
>> actually integers, dates are valid, etc. You can use bind parameters as
>>
>> Daniel indicated, or you can use mysql_real_escape_string() on strings.
>>
>> Numeric values, dates, etc. do not need further processing if they have
>>
>> been properly validated. But they need to be validated even if you're
>>
>> using bind parameters.
>>
>>
>>

> I am not asking about validation that is a whole other topic. This is
> specifically about sanitation. The problem with real_escape_string is
> from what I have read its not good enough to prevent sql injections.

<Top posting fixed>

The whole purpose of mysql_escape_string() is to prepare strings for
insertion into the database. Where did you read it wasn't good enough
to prevent sql injections?

P.S. Please don't top post.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Data sanitation for mysql queries. [message #179687 is a reply to message #179663] Sat, 17 November 2012 20:47 Go to previous message
Peter H. Coffin is currently offline  Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
Senior Member
add to buddy list
ignore all messages by this user
On Fri, 16 Nov 2012 11:36:18 -0800 (PST), cph wrote:

> I am not asking about validation that is a whole other topic. This is
> specifically about sanitation. The problem with real_escape_string is
> from what I have read its not good enough to prevent sql injections.

Where did you read that? It's better than add_slashes because it's
actually AWARE of the connection parameters, like what the actual escape
character is.

--
54. I will not strike a bargain with a demonic being then attempt to
double-cross it simply because I feel like being contrary.
--Peter Anspach's list of things to do as an Evil Overlord
Quick Reply
Formatting Tools:   
  Switch to threaded view of this topic Create a new topic
Previous Topic: How to add dynamic textbox (row) and save to database using PHP
Next Topic: Scrape dynamically generated hyperlinks
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Oct 19 10:22:25 EDT 2017

Total time taken to generate the page: 0.00644 seconds