limitphp Posted January 26, 2009 Share Posted January 26, 2009 I use this function to protect from sql attacks: function guard_sql($value) { $value = mysql_real_escape_string($value); return $value; } Can I use the function inside a query like this: $queryUsername = "SELECT username FROM user WHERE username = 'guard_sql($username)'"; Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/ Share on other sites More sharing options...
premiso Posted January 26, 2009 Share Posted January 26, 2009 $queryUsername = "SELECT username FROM user WHERE username = '" . guard_sql($username) . "'"; Like that you can. Just make sure that Magic Quotes are off, or else that guard_sql function will double escape your data. Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746937 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 $queryUsername = "SELECT username FROM user WHERE username = '" . guard_sql($username) . "'"; Like that you can. Just make sure that Magic Quotes are off, or else that guard_sql function will double escape your data. What is double escape? should I use this instead: function guard_sql($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746940 Share on other sites More sharing options...
MadTechie Posted January 26, 2009 Share Posted January 26, 2009 you could but why have a function calling one function that does the same as function you are calling ? just do $queryUsername = "SELECT username FROM user WHERE username = '".mysql_real_escape_string($username)."'"; or $queryUsername = sprintf("SELECT username FROM user WHERE username = '%s'",mysql_real_escape_string($username)); EDIT: yes that guard_sql is better Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746942 Share on other sites More sharing options...
premiso Posted January 26, 2009 Share Posted January 26, 2009 $queryUsername = "SELECT username FROM user WHERE username = '" . guard_sql($username) . "'"; Like that you can. Just make sure that Magic Quotes are off, or else that guard_sql function will double escape your data. What is double escape? should I use this instead: function guard_sql($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } For a portable script to be used on different systems, that is better. But however, if it is not meant for that MadTechie is right, no need to create a function that just calls another function. Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746944 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 For a portable script to be used on different systems, that is better. But however, if it is not meant for that MadTechie is right, no need to create a function that just calls another function. What should I do? How should I protect against SQL attacks? Also, what are magic quotes and how do I prevent double escaping? Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746949 Share on other sites More sharing options...
premiso Posted January 26, 2009 Share Posted January 26, 2009 Magic Quotes They are depreciated in PHP 6 and basically just add slashes to data coming from a form that essentially does what mysql_real_escape_string does, just not as thorough. If you mysql_real_escape_string on data that has been escaped with magic quotes, you get a double escape and it creates a mess. So for example the \n character would actually display on a textarea instead of breaking the line like it should. To prevent it, you can turn it off in your php.ini or via ini_set but if you plan to distribute this script, imo, it is better to check get_magic_quotes_gpc and if that is on stripslashes first then use the mysql escape function. Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746953 Share on other sites More sharing options...
MadTechie Posted January 26, 2009 Share Posted January 26, 2009 Magic quote are being removed in php6 and are diabled by default in php5 if they are on then they addslashes automatically thus using addslashes does it again.. your last code will check if they are on and strip the slashes function guard_sql($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } EDIT: premiso beat me Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746956 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 thanks guys! I really appreciate the info! Quote Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746959 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.