Jump to content

mysql_escape_string and mysql_real_escape_string not working

Tryptamine

By Tryptamine
in PHP Coding Help

 Share

Recommended Posts

Tryptamine Newbie

Tryptamine

Posted
Posted

Hello all, I'm attempting to secure a script to prevent against SQL Injections. But for some reason the code I'm using is not correctly escaping malicious characters.

 

Here's a section of the code I'm using (the beginning) that first pulls the data from the database:

 

include 'include/dbconnect.php';
include 'include/funcs.php';
if (isset($_GET['gid'])) {
$galleryid = cleanvar($_GET['gid']);
$sql = "select * from galleries where id = $galleryid";
$result = mysql_query($sql) or die(mysql_error());
if ($row = mysql_fetch_assoc($result)) {
	$galleryid = $row['id'];
	$gallerytitle = $row['title'];

 

the cleanvar function is located in funcs.php, and this is what it looks like:

 

function cleanvar ($var) {
return stripslashes(mysql_real_escape_string($var));
}

 

magic_quotes_gpc is on, so that is why I added stripslashes, but for some reason whenever I go to the script and attempt to inject into it with a single or double quote, I still get a syntax error, enabling me to successfully inject.

 

Any ideas?

 

Thanks in advance! :)

 

 

 

Psycho Prolific Member

Psycho

Posted
Posted

You should have a switch in your code to check if magic quotes are turned on before utilizing strip_slashes. But, in any event you should run strip_slashes before you run mysql_real_escape_string().

 

Although I would suggest using a function that automatically removes any modification due to magic quotes on all input (see the manual), try this

function cleanvar ($var)
{
    if (get_magic_quotes_gpc())
    {
        $var = stripslashes($var);
    }
   return mysql_real_escape_string($var);
}

 

Also, why are you using mysql_real_escape_string() on an "id" field? If that's an id field I would expect it is an integer value. mysql_real_escape_string() is meant for string input. SO, you should validate/force the value to be an integer. One option is to cast the value as an integer

$galleryid = (int) $_GET['gid'];

 

Or use the intval() function

Tryptamine Newbie

Tryptamine

Posted
  • Author
Posted

Thanks for the quick reply, I tried the new function, but still got the same error:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1

 

Also that's a good point about the int value, I will try that next.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.