>>>> http://stut.net/2011/09/15/mysql-real-escape-string-is-not-enough/
Hi everyone I have read many many articles and blog posts in the last few days to bolster my (still mostly newbie) understanding of the factors that play in to preventing various methods of SQL injection prevention.. and by now I am well aware that most everyone (expert) here says prepared statements are the most secure method of (string hacking) SQL-injection prevention.. even to the point of saying that one common (and at least previously-popular) alternative "mysql-real-escape-string" is "..silly and technically insecure..". I am learning and using the CodeIgniter (CI) framework for my current project and, not wanting to leave myself vulnerable, I read posts on the CI forum on this topic, to find out if I could (or needed) to use prepared statements in CI.. and I read one forum thread where one dev shows how to hack the core system of CI so that it can use PDO (for prepared statements) instead of the built-in ActiveRecord (or "Query Bindings") which apparently rely on mysql-real-escape-string. In that thread, the debate goes back and forth, as it does in other threads.. and while the sentiment that prepared statements are better because they remove the need to keep being ahead of the char-escaping chase... I never did see any example of *how* mysql-real-escape-string fails. The only thing I ever read that does show mysql-real-escape-string possibly failing is in the example in this article: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string or rather an article referred to there, here: http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html ..which only comes up in certain circumstances.. ("[snip]..The bottom line while the problem is serious, it would only affect people changing character sets from single-byte encodings to multibyte ones. As long as you stay away from multibyte encodings, with the exception of UTF8 you should be safe...[snip]"). All well and good. I just wanted to understand, as a relative newbie, why such bold seemingly definitive statements are made here on this list in recent weeks, like ".. escaping doesn't work.." ? http://marc.info/?l=php-general&m=131293616328301&w=2 http://marc.info/?l=php-general&m=131603743606025&w=2 Isn't it that it does work in most cases.. and one just needs to know in which cases it can fail, and how to handle things in each case? I totally get the point that prepared statements just remove so much of the head pressure of sorting all this out.. BUT when someone (mostly new) like me comes along and hears that "mysql-real-escape-string is simply not secure", then it just gives an unclear and incomplete picture, and creates more head pressure. Or is there definitive evidence, more recent than the above-mentioned articles, that shows how to hack through mysql-real-escape-string even in an SQL statement e.g. inserting into a UTF8 db, a properly escaped (mysql-real-escape-string) var? In case my post here is lacking understanding, then please forgive.. and better yet, please explain! I post/ask because I am wanting to SEE the whole everything like you few experts here who really know exactly what everyone is talking about (or when they are just groping in the dark). -Govinda -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
