Mysql_real_escape_string? [Archive]

View Full Version : Mysql_real_escape_string?

nickia

08-28-2009, 06:12 PM

I was doing some reading on security and i discovered:
htmlentities
mysql_real_escape_string

From what i understand(may be wrong)
strip_tags: removes html tags as you said
htmlentities: HTML entity counterpart (from what i understand this means writing out say < as < ?)
mysql_real_escape_string: not too sure about this but from what i gather, it removes harmful data much like the htmlentities and strip_tags function.

So the question is, which one should i use? or should i use all of them?

bqinternet

08-28-2009, 06:31 PM

It depends what you're doing with the data. If you're using user-supplied variables in your MySQL calls, then you definitely want to use mysql_real_escape_string. If you're writing a forum, then you probably want to strip out HTML tags.

Harzem

08-28-2009, 06:40 PM

strip_tags: Removes html tags and similar. Usually not a good way for security. I never use this.

htmlspecialchars: replaces
< with <
> with >
" with "
& with &

htmlentities: replaces many more characters, usually not required for security. Use htmlspecialchars is enough.

addslashes: Adds a \ before ' and \ charaters. Recommended when sending data to a mysql query or such. The inverse function is stripslashes.

mysql_real_escape_string: Same as addslashes, but works on some non-english characters of mysql better. Recommended instead of addslashes in some cases.

In short, these are what you use:
htmlspecialchars, mysql_real_escape_string, stripslashes.

If the mysql_real_escape_string name is too long to type, create an alternative function:

function slashes($unescaped_string, $link_identifier = false)
{
if($link_identifier)
return mysql_real_escape_string($unescaped_string, $link_identifier);
else
return mysql_real_escape_string($unescaped_string);
}

nickia

08-28-2009, 11:42 PM

Thanks. If I'm writing a user registration page, would mysql_real_escape_string be enough for usernames, e-mails and other related information?

Harzem

08-29-2009, 05:31 AM

Thanks. If I'm writing a user registration page, would mysql_real_escape_string be enough for usernames, e-mails and other related information?

Yes, it's all you need.

mysql_querty("
INSERT INTO members
(name, email, password)
VALUES
('".mysql_real_escape_string($_POST['username'])."',
'".mysql_real_escape_string($_POST['email'])."'),
'".sha1($_POST['password'])."')
");

mattle

08-29-2009, 11:08 AM

mysql_query, unless you meant mysql_qwerty ;)

godza

08-31-2009, 06:04 PM

mysql_query("
INSERT members
set name='".mysql_real_escape_string($_POST['username'])."',
email='".mysql_real_escape_string($_POST['email'])."'),
password='".sha1($_POST['password'])."')
");

If you like to kill spaces from user name you could use:

mysql_query("
INSERT members
set name='".mysql_real_escape_string(trim($_POST['username']))."',
email='".mysql_real_escape_string($_POST['email'])."'),
password='".sha1($_POST['password'])."')
");

risoknop

09-01-2009, 11:03 AM

Well, personally I use PDO with prepared statements so there is no need for escaping with mysql_real_escape_string().

siv9

09-02-2009, 11:43 AM

mysql_real_escape_string does not remove anything. It simply escapes your string to help prevent SQL injection (Look up 'SQL Injection' on google). I ALWAYS recommend using this function, in any web accessible script.

Another function you may want to look into is preg_replace. This function would allow you to strip out ALL unneeded characters (e.g. if it's a username, it should only be letters, numbers, and maybe a underscore or dash. No need to allow any other characters in the string, so you could use preg_replace to strip out all the other unneeded characters).

I always recommend taking the time to ensure user input matches what it should be. I would never take the chance or risk it. Any web accessible script will almost always be exploited at one point. Better safe than sorry

ankit_frenz

09-02-2009, 12:02 PM

godza

09-02-2009, 03:40 PM

more advanced example of using regexp for security could be:

class security {

function rstSEC() {
$this->setErrors = array();
}

function pushSetErrors($err) {
if(!isset($this->setErrors))
$this->setErrors = array();
array_push($this->setErrors, $err);
}

function isValidName(&$name) {
$this->rstSEC();
if(preg_match("/[^A-Za-z0-9]\Q.: []!@%+-()\E/",$name))
$this->pushSetErrors('E_CHARS');
if(strlen($name)>155)
$this->pushSetErrors('E_TOOLONG');
return($this->getSECounts());
}
}
$security = new security();
$securty->isValidName("testsomeillegalexcpetions");

Hanratty

09-04-2009, 09:56 AM

The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement
<?php
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

// some code to get username and password

// escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"

// more code

mysql_close($con);
?>

siv9

09-04-2009, 10:40 AM

Since we are on the subject, may I suggest the ActiveRecord class from CodeIgniter? Even if you don't like CodeIgniter, you can use the ActiveRecord class as a standalone:

http://www.documentopia.com/downloads/

Basically, instead of the code above, you could do something like:

$db->where(array('user' => $user, 'password' => $pwd))->limit(1);
$query = $db->get('my_users');
if ($query->num_rows() > 0) {
$row = $query->row_array();
echo $row['first_name'];
}

It will build your query for you, and escape the data.