FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Data sanitation for mysql queries.
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
Data sanitation for mysql queries. [message #179660] Fri, 16 November 2012 18:10 Go to next message
cph is currently offline  cph
Messages: 10
Registered: September 2012
Karma: 0
Junior Member
FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
Re: Data sanitation for mysql queries. [message #179661 is a reply to message #179660] Fri, 16 November 2012 18:49 Go to previous messageGo to next message
Daniel Pitts is currently offline  Daniel Pitts
Messages: 68
Registered: May 2012
Karma: 0
Member
On 11/16/12 10:10 AM, cph wrote:
> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>

Short answer is no.

Prepared statements help a lot.

Using the correct functions help too:
<http://www.php.net/manual/en/mysqli.real-escape-string.php>
Re: Data sanitation for mysql queries. [message #179662 is a reply to message #179660] Fri, 16 November 2012 18:56 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/16/2012 1:10 PM, cph wrote:
> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>

Not at all. You need to validate the data, i.e. integer values are
actually integers, dates are valid, etc. You can use bind parameters as
Daniel indicated, or you can use mysql_real_escape_string() on strings.
Numeric values, dates, etc. do not need further processing if they have
been properly validated. But they need to be validated even if you're
using bind parameters.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Data sanitation for mysql queries. [message #179663 is a reply to message #179662] Fri, 16 November 2012 19:36 Go to previous messageGo to next message
cph is currently offline  cph
Messages: 10
Registered: September 2012
Karma: 0
Junior Member
I am not asking about validation that is a whole other topic. This is specifically about sanitation. The problem with real_escape_string is from what I have read its not good enough to prevent sql injections.

On Friday, November 16, 2012 10:56:08 AM UTC-8, Jerry Stuckle wrote:
> On 11/16/2012 1:10 PM, cph wrote:
>
>> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>
>>
>
>
>
> Not at all. You need to validate the data, i.e. integer values are
>
> actually integers, dates are valid, etc. You can use bind parameters as
>
> Daniel indicated, or you can use mysql_real_escape_string() on strings.
>
> Numeric values, dates, etc. do not need further processing if they have
>
> been properly validated. But they need to be validated even if you're
>
> using bind parameters.
>
>
>
> --
>
> ==================
>
> Remove the "x" from my email address
>
> Jerry Stuckle
>
> JDS Computer Training Corp.
>
> jstucklex(at)attglobal(dot)net
>
> ==================
Re: Data sanitation for mysql queries. [message #179664 is a reply to message #179663] Fri, 16 November 2012 21:46 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/16/2012 2:36 PM, cph wrote:
> On Friday, November 16, 2012 10:56:08 AM UTC-8, Jerry Stuckle wrote:
>> On 11/16/2012 1:10 PM, cph wrote:
>>
>>> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>>
>>>
>>
>>
>>
>> Not at all. You need to validate the data, i.e. integer values are
>>
>> actually integers, dates are valid, etc. You can use bind parameters as
>>
>> Daniel indicated, or you can use mysql_real_escape_string() on strings.
>>
>> Numeric values, dates, etc. do not need further processing if they have
>>
>> been properly validated. But they need to be validated even if you're
>>
>> using bind parameters.
>>
>>
>>

> I am not asking about validation that is a whole other topic. This is
> specifically about sanitation. The problem with real_escape_string is
> from what I have read its not good enough to prevent sql injections.

<Top posting fixed>

The whole purpose of mysql_escape_string() is to prepare strings for
insertion into the database. Where did you read it wasn't good enough
to prevent sql injections?

P.S. Please don't top post.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: Data sanitation for mysql queries. [message #179687 is a reply to message #179663] Sun, 18 November 2012 01:47 Go to previous message
Peter H. Coffin is currently offline  Peter H. Coffin
Messages: 245
Registered: September 2010
Karma: 0
Senior Member
On Fri, 16 Nov 2012 11:36:18 -0800 (PST), cph wrote:

> I am not asking about validation that is a whole other topic. This is
> specifically about sanitation. The problem with real_escape_string is
> from what I have read its not good enough to prevent sql injections.

Where did you read that? It's better than add_slashes because it's
actually AWARE of the connection parameters, like what the actual escape
character is.

--
54. I will not strike a bargain with a demonic being then attempt to
double-cross it simply because I feel like being contrary.
--Peter Anspach's list of things to do as an Evil Overlord
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: How to add dynamic textbox (row) and save to database using PHP
Next Topic: Scrape dynamically generated hyperlinks
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Dec 19 14:37:39 GMT 2024

Total time taken to generate the page: 0.02483 seconds