Jump to content

Archived

This topic is now archived and is closed to further replies.

radalin

Sql Injection Protection

Recommended Posts

Hi,
I'm using php5 and apache 2 and postgresql 8.1 as database and pear's mdb2 package. I'm using escape method of mdb2. But the intresting thing is that silencer "\" character exists more than required. I mean if I write " your's " it becomes " your\\''s " and it's entered to the db as " your\'s ". If I do not use escape method and everything is fine! Yes really fine! I get the data from a form via POST method. When I try to echo the data coming from POST it's as " your\'s ". The single quote is already disabled.

Well I'm curious why is this happening!! I do not think it's really possible so I'm probably missing something at somewhere. I cannot post my code sadly because it's not ordered and it requires manu functions. But the thing is even if I echo the data coming from the Post the single quote is already disabled! I'm very curious why this happens. Maybe this is because of something I dont kno yet.

Thank you for your time.

Share this post


Link to post
Share on other sites
That's probbly because you've got magic_quotes on in your php.ini.

Run this:
echo get_magic_quotes_gpc();
If it returns TRUE or 1, that means strings get automaticly escaped.

If you want to escape strings for you database, use this function:
[code]<?php
function sql_quote($value)
{
if(get_magic_quotes_gpc())
{$value = stripslashes($value);}
if(function_exists("mysql_real_escape_string"))
{$value = mysql_real_escape_string($value);}
else
{$value = addslashes($value);}
return $value;
}
?>[/code]

Orio.

Share this post


Link to post
Share on other sites
Hmmm yeah you were right it was enabled.

But I'm using PostgreSQL should I have to use mysql_real_escape_string or it's postgresql equivalent?

Share this post


Link to post
Share on other sites
I have no idea...
But I think it'll be ok to use on any SQL string.

From php.net:
[quote]mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.[/quote]

Orio.

Share this post


Link to post
Share on other sites
You would use [url=http://php.net/pg_escape_string]pg_escape_string[/url] instead.

Share this post


Link to post
Share on other sites
Thanks for the info.

MDB2's escape method was using that function. When I disabled the magic_quotes, everytng is ok now.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.