Jump to content

Recommended Posts

Got question about escaping SQL, does the execution order matter when encrypting a string?.
Could option 1 be vulnerable to SQL injection if the string is decrypted and reused in some some SQL query later?.

1. $this->db->escape($this->encrypt($somevariable))

2. $this->encrypt($somevariable($this->db->escape))

Link to comment
https://forums.phpfreaks.com/topic/305393-mysql-escaping/
Share on other sites

You have to escape the encrypted value, for it to be put in a SQL query safely. Escaping before encrypting doesn't help, as the encryption process could create characters that need to themselves be escaped.

 

Switch to using prepared statements, though, and that'll take care of the escaping for you.

Link to comment
https://forums.phpfreaks.com/topic/305393-mysql-escaping/#findComment-1552812
Share on other sites

Escape the value you want to store. If you want to store the encrypted value then escape(encrypt(value)), and if you want encrypt the stored value then escape(encrypt(value)).

 

"Aren't those the same?"

 

Yes. encrypt(escape(value)) has no purpose: escaping will add slashes and if you encrypt that then you've encrypted the value with added slashes. Which is a stupid thing to do, because now if you want the original you have to remove those slashes - so why add them in the first place?

 

If you want to start a car then you put the key in the ignition and turn it. In that order.

Link to comment
https://forums.phpfreaks.com/topic/305393-mysql-escaping/#findComment-1552819
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.