FUDforum: comp.lang.php » Data sanitation for mysql queries.

Home » Imported messages » comp.lang.php » Data sanitation for mysql queries.

Show: Today's Messages :: Polls :: Message Navigator

Data sanitation for mysql queries. [message #179660]

Fri, 16 November 2012 18:10

cph
Messages: 10
Registered: September 2012

Karma: 0

Junior Member

FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?

Report message to a moderator

Re: Data sanitation for mysql queries. [message #179661 is a reply to message #179660]

Fri, 16 November 2012 18:49

Daniel Pitts
Messages: 68
Registered: May 2012

Karma: 0

Member

On 11/16/12 10:10 AM, cph wrote:
> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>

Short answer is no.

Prepared statements help a lot.

Using the correct functions help too:
<http://www.php.net/manual/en/mysqli.real-escape-string.php>

Report message to a moderator

Re: Data sanitation for mysql queries. [message #179662 is a reply to message #179660]

Fri, 16 November 2012 18:56

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma: 0

Senior Member

On 11/16/2012 1:10 PM, cph wrote:
> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>

Not at all. You need to validate the data, i.e. integer values are
actually integers, dates are valid, etc. You can use bind parameters as
Daniel indicated, or you can use mysql_real_escape_string() on strings.
Numeric values, dates, etc. do not need further processing if they have
been properly validated. But they need to be validated even if you're
using bind parameters.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

Re: Data sanitation for mysql queries. [message #179663 is a reply to message #179662]

Fri, 16 November 2012 19:36

cph
Messages: 10
Registered: September 2012

Karma: 0

Junior Member

I am not asking about validation that is a whole other topic. This is specifically about sanitation. The problem with real_escape_string is from what I have read its not good enough to prevent sql injections.

On Friday, November 16, 2012 10:56:08 AM UTC-8, Jerry Stuckle wrote:
> On 11/16/2012 1:10 PM, cph wrote:
>
>> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>
>>
>
>
>
> Not at all. You need to validate the data, i.e. integer values are
>
> actually integers, dates are valid, etc. You can use bind parameters as
>
> Daniel indicated, or you can use mysql_real_escape_string() on strings.
>
> Numeric values, dates, etc. do not need further processing if they have
>
> been properly validated. But they need to be validated even if you're
>
> using bind parameters.
>
>
>
> --
>
> ==================
>
> Remove the "x" from my email address
>
> Jerry Stuckle
>
> JDS Computer Training Corp.
>
> jstucklex(at)attglobal(dot)net
>
> ==================

Report message to a moderator

Re: Data sanitation for mysql queries. [message #179664 is a reply to message #179663]

Fri, 16 November 2012 21:46

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma: 0

Senior Member

On 11/16/2012 2:36 PM, cph wrote:
> On Friday, November 16, 2012 10:56:08 AM UTC-8, Jerry Stuckle wrote:
>> On 11/16/2012 1:10 PM, cph wrote:
>>
>>> FOr sanitizing user input that will be part of a mysql query is addslashes() good enough to prevent mysql injection?
>>
>>>
>>
>>
>>
>> Not at all. You need to validate the data, i.e. integer values are
>>
>> actually integers, dates are valid, etc. You can use bind parameters as
>>
>> Daniel indicated, or you can use mysql_real_escape_string() on strings.
>>
>> Numeric values, dates, etc. do not need further processing if they have
>>
>> been properly validated. But they need to be validated even if you're
>>
>> using bind parameters.
>>
>>
>>

> I am not asking about validation that is a whole other topic. This is
> specifically about sanitation. The problem with real_escape_string is
> from what I have read its not good enough to prevent sql injections.

<Top posting fixed>

The whole purpose of mysql_escape_string() is to prepare strings for
insertion into the database. Where did you read it wasn't good enough
to prevent sql injections?

P.S. Please don't top post.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

Re: Data sanitation for mysql queries. [message #179687 is a reply to message #179663]

Sun, 18 November 2012 01:47

Peter H. Coffin
Messages: 245
Registered: September 2010

Karma: 0

Senior Member

On Fri, 16 Nov 2012 11:36:18 -0800 (PST), cph wrote:

> I am not asking about validation that is a whole other topic. This is
> specifically about sanitation. The problem with real_escape_string is
> from what I have read its not good enough to prevent sql injections.

Where did you read that? It's better than add_slashes because it's
actually AWARE of the connection parameters, like what the actual escape
character is.

--
54. I will not strike a bargain with a demonic being then attempt to
double-cross it simply because I feel like being contrary.
--Peter Anspach's list of things to do as an Evil Overlord

Report message to a moderator

Previous Topic:	How to add dynamic textbox (row) and save to database using PHP
Next Topic:	Scrape dynamically generated hyperlinks

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Sat Nov 23 09:30:24 GMT 2024

Total time taken to generate the page: 0.02749 seconds