Jump to content

MySQL escaping


CaptainJoe54

Recommended Posts

Got question about escaping SQL, does the execution order matter when encrypting a string?.
Could option 1 be vulnerable to SQL injection if the string is decrypted and reused in some some SQL query later?.

1. $this->db->escape($this->encrypt($somevariable))

2. $this->encrypt($somevariable($this->db->escape))

Link to comment
Share on other sites

You have to escape the encrypted value, for it to be put in a SQL query safely. Escaping before encrypting doesn't help, as the encryption process could create characters that need to themselves be escaped.

 

Switch to using prepared statements, though, and that'll take care of the escaping for you.

Link to comment
Share on other sites

Escape the value you want to store. If you want to store the encrypted value then escape(encrypt(value)), and if you want encrypt the stored value then escape(encrypt(value)).

 

"Aren't those the same?"

 

Yes. encrypt(escape(value)) has no purpose: escaping will add slashes and if you encrypt that then you've encrypted the value with added slashes. Which is a stupid thing to do, because now if you want the original you have to remove those slashes - so why add them in the first place?

 

If you want to start a car then you put the key in the ignition and turn it. In that order.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.