CaptainJoe54 Posted October 18, 2017 Share Posted October 18, 2017 Got question about escaping SQL, does the execution order matter when encrypting a string?.Could option 1 be vulnerable to SQL injection if the string is decrypted and reused in some some SQL query later?.1. $this->db->escape($this->encrypt($somevariable))2. $this->encrypt($somevariable($this->db->escape)) Quote Link to comment https://forums.phpfreaks.com/topic/305393-mysql-escaping/ Share on other sites More sharing options...
Sepodati Posted October 18, 2017 Share Posted October 18, 2017 You have to escape the encrypted value, for it to be put in a SQL query safely. Escaping before encrypting doesn't help, as the encryption process could create characters that need to themselves be escaped. Switch to using prepared statements, though, and that'll take care of the escaping for you. Quote Link to comment https://forums.phpfreaks.com/topic/305393-mysql-escaping/#findComment-1552812 Share on other sites More sharing options...
CaptainJoe54 Posted October 18, 2017 Author Share Posted October 18, 2017 Okey thx but what if $somevariable is already base64 encoded?. Quote Link to comment https://forums.phpfreaks.com/topic/305393-mysql-escaping/#findComment-1552815 Share on other sites More sharing options...
Sepodati Posted October 18, 2017 Share Posted October 18, 2017 I don't know... why are you doing that? Quote Link to comment https://forums.phpfreaks.com/topic/305393-mysql-escaping/#findComment-1552818 Share on other sites More sharing options...
requinix Posted October 18, 2017 Share Posted October 18, 2017 Escape the value you want to store. If you want to store the encrypted value then escape(encrypt(value)), and if you want encrypt the stored value then escape(encrypt(value)). "Aren't those the same?" Yes. encrypt(escape(value)) has no purpose: escaping will add slashes and if you encrypt that then you've encrypted the value with added slashes. Which is a stupid thing to do, because now if you want the original you have to remove those slashes - so why add them in the first place? If you want to start a car then you put the key in the ignition and turn it. In that order. Quote Link to comment https://forums.phpfreaks.com/topic/305393-mysql-escaping/#findComment-1552819 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.