limitphp Posted January 26, 2009 Share Posted January 26, 2009 I use this function to protect from sql attacks: function guard_sql($value) { $value = mysql_real_escape_string($value); return $value; } Can I use the function inside a query like this: $queryUsername = "SELECT username FROM user WHERE username = 'guard_sql($username)'"; Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/ Share on other sites More sharing options...
premiso Posted January 26, 2009 Share Posted January 26, 2009 $queryUsername = "SELECT username FROM user WHERE username = '" . guard_sql($username) . "'"; Like that you can. Just make sure that Magic Quotes are off, or else that guard_sql function will double escape your data. Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746937 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 $queryUsername = "SELECT username FROM user WHERE username = '" . guard_sql($username) . "'"; Like that you can. Just make sure that Magic Quotes are off, or else that guard_sql function will double escape your data. What is double escape? should I use this instead: function guard_sql($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746940 Share on other sites More sharing options...
MadTechie Posted January 26, 2009 Share Posted January 26, 2009 you could but why have a function calling one function that does the same as function you are calling ? just do $queryUsername = "SELECT username FROM user WHERE username = '".mysql_real_escape_string($username)."'"; or $queryUsername = sprintf("SELECT username FROM user WHERE username = '%s'",mysql_real_escape_string($username)); EDIT: yes that guard_sql is better Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746942 Share on other sites More sharing options...
premiso Posted January 26, 2009 Share Posted January 26, 2009 $queryUsername = "SELECT username FROM user WHERE username = '" . guard_sql($username) . "'"; Like that you can. Just make sure that Magic Quotes are off, or else that guard_sql function will double escape your data. What is double escape? should I use this instead: function guard_sql($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } For a portable script to be used on different systems, that is better. But however, if it is not meant for that MadTechie is right, no need to create a function that just calls another function. Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746944 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 For a portable script to be used on different systems, that is better. But however, if it is not meant for that MadTechie is right, no need to create a function that just calls another function. What should I do? How should I protect against SQL attacks? Also, what are magic quotes and how do I prevent double escaping? Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746949 Share on other sites More sharing options...
premiso Posted January 26, 2009 Share Posted January 26, 2009 Magic Quotes They are depreciated in PHP 6 and basically just add slashes to data coming from a form that essentially does what mysql_real_escape_string does, just not as thorough. If you mysql_real_escape_string on data that has been escaped with magic quotes, you get a double escape and it creates a mess. So for example the \n character would actually display on a textarea instead of breaking the line like it should. To prevent it, you can turn it off in your php.ini or via ini_set but if you plan to distribute this script, imo, it is better to check get_magic_quotes_gpc and if that is on stripslashes first then use the mysql escape function. Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746953 Share on other sites More sharing options...
MadTechie Posted January 26, 2009 Share Posted January 26, 2009 Magic quote are being removed in php6 and are diabled by default in php5 if they are on then they addslashes automatically thus using addslashes does it again.. your last code will check if they are on and strip the slashes function guard_sql($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } $value = mysql_real_escape_string($value); return $value; } EDIT: premiso beat me Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746956 Share on other sites More sharing options...
limitphp Posted January 26, 2009 Author Share Posted January 26, 2009 thanks guys! I really appreciate the info! Link to comment https://forums.phpfreaks.com/topic/142537-solved-guarding-against-sql-attacks/#findComment-746959 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.