MySQL escaping

[CaptainJoe54]

Got question about escaping SQL, does the execution order matter when encrypting a string?.
Could option 1 be vulnerable to SQL injection if the string is decrypted and reused in some some SQL query later?.

1. $this->db->escape($this->encrypt($somevariable))

2. $this->encrypt($somevariable($this->db->escape))

[Sepodati]

You have to escape the encrypted value, for it to be put in a SQL query safely. Escaping before encrypting doesn't help, as the encryption process could create characters that need to themselves be escaped.

 

Switch to using prepared statements, though, and that'll take care of the escaping for you.

[CaptainJoe54]

Okey thx but what if $somevariable is already base64 encoded?.

[Sepodati]

I don't know... why are you doing that?

[requinix]

Escape the value you want to store. If you want to store the encrypted value then escape(encrypt(value)), and if you want encrypt the stored value then escape(encrypt(value)).

 

"Aren't those the same?"

 

Yes. encrypt(escape(value)) has no purpose: escaping will add slashes and if you encrypt that then you've encrypted the value with added slashes. Which is a stupid thing to do, because now if you want the original you have to remove those slashes - so why add them in the first place?

 

If you want to start a car then you put the key in the ignition and turn it. In that order.