Jump to content


Photo

Sql Injection Protection


  • Please log in to reply
5 replies to this topic

#1 radalin

radalin
  • Members
  • PipPipPip
  • Advanced Member
  • 179 posts

Posted 07 August 2006 - 01:05 PM

Hi,
I'm using php5 and apache 2 and postgresql 8.1 as database and pear's mdb2 package. I'm using escape method of mdb2. But the intresting thing is that silencer "\" character exists more than required. I mean if I write " your's " it becomes " your\\''s " and it's entered to the db as " your\'s ". If I do not use escape method and everything is fine! Yes really fine! I get the data from a form via POST method. When I try to echo the data coming from POST it's as " your\'s ". The single quote is already disabled.

Well I'm curious why is this happening!! I do not think it's really possible so I'm probably missing something at somewhere. I cannot post my code sadly because it's not ordered and it requires manu functions. But the thing is even if I echo the data coming from the Post the single quote is already disabled! I'm very curious why this happens. Maybe this is because of something I dont kno yet.

Thank you for your time.
Roy Simkes
Yet Another Parkyeri Developer

#2 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 07 August 2006 - 01:12 PM

That's probbly because you've got magic_quotes on in your php.ini.

Run this:
echo get_magic_quotes_gpc();
If it returns TRUE or 1, that means strings get automaticly escaped.

If you want to escape strings for you database, use this function:
<?php
function sql_quote($value) 
{ 
if(get_magic_quotes_gpc())
{$value = stripslashes($value);} 
if(function_exists("mysql_real_escape_string"))
{$value = mysql_real_escape_string($value);} 
else
{$value = addslashes($value);} 
return $value;
}
?>

Orio.
Think you're smarty?

(Gone until 20 to November)

#3 radalin

radalin
  • Members
  • PipPipPip
  • Advanced Member
  • 179 posts

Posted 07 August 2006 - 01:16 PM

Hmmm yeah you were right it was enabled.

But I'm using PostgreSQL should I have to use mysql_real_escape_string or it's postgresql equivalent?
Roy Simkes
Yet Another Parkyeri Developer

#4 Orio

Orio
  • Staff Alumni
  • Advanced Member
  • 2,491 posts

Posted 07 August 2006 - 01:25 PM

I have no idea...
But I think it'll be ok to use on any SQL string.

From php.net:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.


Orio.
Think you're smarty?

(Gone until 20 to November)

#5 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 07 August 2006 - 01:27 PM

You would use pg_escape_string instead.

#6 radalin

radalin
  • Members
  • PipPipPip
  • Advanced Member
  • 179 posts

Posted 07 August 2006 - 01:30 PM

Thanks for the info.

MDB2's escape method was using that function. When I disabled the magic_quotes, everytng is ok now.

Roy Simkes
Yet Another Parkyeri Developer




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users