[PHP] Escaping quotes for DB Entry
All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? if this is about escaping single quotes (and there maybe other stuff that needs escaping - stuff I can't think of right now - stuff that may or may not be related to the encoding one is using [e.g. unicode]) then one should be escaping single quotes with single quotes: UPDATE blatable SET blafield = 'my ''blablabla'''; which all decent/recent DBMS' support IIRC. -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Jochem Maas wrote: Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? It seems that addslashes gets a lot of flack, but is there any other/better way? if this is about escaping single quotes (and there maybe other stuff that needs escaping - stuff I can't think of right now - stuff that may or may not be related to the encoding one is using [e.g. unicode]) then one should be escaping single quotes with single quotes: UPDATE blatable SET blafield = 'my ''blablabla'''; which all decent/recent DBMS' support IIRC. Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? looking at the manual I would assume that ora_bind() is the best way of safely stuffing things into an oracle DB: http://php.net/manual/en/function.ora-bind.php if this function is of any worth it *should* be doing any/all proper escaping of data 'under water' and hopefully much more thoroughly/correctly than anything you/we could do in userland. remark type=biased of course you could use firebird DB (php5 interbase extension) and just make use of the built in parameterized query functionality - which is simple to use, doesn't require endless reams of parameter binding declaration and is rock solid (i.e. no matter how crap my input filtering is SQL injection remains impossible ;-)) /remark It seems that addslashes gets a lot of flack, but is there any other/better way? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: Jochem Maas wrote: ... Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? my preference is to have all magic_quote_BLA ini settings set to off and explicitly escape my data (after validation/cleaning) according to the context the data is being use in (e.g. DB insertion as per this discussion) if/when trying to write truly portable code you will have to have routines that check the actual magic quotes settings and depending on the actual values/settings normalize your data accordingly... which can be a right PITA to do properly :-) -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Jochem Maas wrote: Brad Bonkoski wrote: Jochem Maas wrote: ... Understood what the esacpe character needs to be...the question is the best way to get it there? Currently I have: magic_quotes_sybase = On this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. Only done automatically IFF magic_quotes_gpc is ALSO on, which in my case it is off. excerpts from manual magic_quotes_sybase *boolean* http://www.php.net/manual/en/language.types.boolean.php If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc or magic_quotes_runtime http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime are enabled. -and - An example use of *addslashes()* is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase set to on will mean ' is instead escaped with another '. so a function call like addslashes() would actually escape single quotes with another single quote... Is there a better/more secure wahy? my preference is to have all magic_quote_BLA ini settings set to off and explicitly escape my data (after validation/cleaning) according to the context the data is being use in (e.g. DB insertion as per this discussion) if/when trying to write truly portable code you will have to have routines that check the actual magic quotes settings and depending on the actual values/settings normalize your data accordingly... which can be a right PITA to do properly :-) Understood... The Oracle work I do is in a 'controlled' environment, but portability should be factored in at some point! I will test out the ora_bind function to see if that does escaping for me, but that is a PITA! especially with large queries... What about your firebird suggestion, does this work well with Oracle connections and queries? -Brad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Escaping quotes for DB Entry
Brad Bonkoski wrote: ... this adds single quotes automatically - addslashes (unless Im mistaken - wouldnt be the first time) would add slashes (and not single quotes) which is not what you want. Only done automatically IFF magic_quotes_gpc is ALSO on, which in my case it is off. excerpts from manual magic_quotes_sybase *boolean* http://www.php.net/manual/en/language.types.boolean.php If magic_quotes_sybase is on, a single-quote is escaped with a single-quote instead of a backslash if magic_quotes_gpc http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-gpc or magic_quotes_runtime http://www.php.net/manual/en/ref.info.php#ini.magic-quotes-runtime are enabled. -and - An example use of *addslashes()* is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. Having the PHP directive magic_quotes_sybase http://www.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase set to on will mean ' is instead escaped with another '. consider this a reminder to myself to RTFM. ;-) ... Is there a better/more secure wahy? ... Understood... The Oracle work I do is in a 'controlled' environment, but portability should be factored in at some point! I will test out the ora_bind function to see if that does escaping for me, but that is a PITA! especially with large queries... indeed - probably work the time to write some kind of generic routine to do the binding based on field datatypes etc - then again that probably will cost you performance... you know the saying you can't have your cake and eat it What about your firebird suggestion, does this work well with Oracle connections and queries? no my firebird suggestion only works at all when connecting to firebird databases. :-) but when you do connect to a firebird db it works very well indeed ;-) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Escaping quotes for DB Entry
From: Brad Bonkoski [mailto:[EMAIL PROTECTED]
Sent: Fri 26/05/2006 15:41
A lot has been said recently about the dangers of the family of
magic_quotes...
I understand the dangers.
The question is, for those of us using a database that does not have a
*real_escape_string function...Oracle for example.
What is the *best* way to escape quotes for DB insertion?
Well, since Oracle escapes single-quotes with another single quote, on the few
occasions when I actually have to escape I generally just run:
$safe_str = str_replace(', '', $str);
-
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: [EMAIL PROTECTED]
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
To view the terms under which this email is distributed, please go to
http://disclaimer.leedsmet.ac.uk/email.htm
RE: [PHP] Escaping quotes for DB Entry
From: Jochem Maas [mailto:[EMAIL PROTECTED] Sent: Fri 26/05/2006 15:54 Brad Bonkoski wrote: All... A lot has been said recently about the dangers of the family of magic_quotes... I understand the dangers. The question is, for those of us using a database that does not have a *real_escape_string function...Oracle for example. What is the *best* way to escape quotes for DB insertion? looking at the manual I would assume that ora_bind() is the best way of safely stuffing things into an oracle DB: http://php.net/manual/en/function.ora-bind.php Whoa, that is wy out of date - the ora_ functions have been deprecated as long as I've been using PHP, which is several years now! You should be using the OCI extension, and oci_bind_by_name(). if this function is of any worth it *should* be doing any/all proper escaping of data 'under water' and hopefully much more thoroughly/correctly than anything you/we could do in userland. remark type=biased of course you could use firebird DB (php5 interbase extension) and just make use of the built in parameterized query functionality - which is simple to use, doesn't require endless reams of parameter binding declaration and is rock solid (i.e. no matter how crap my input filtering is SQL injection remains impossible ;-)) /remark oci_bind_by_name() (and, presumably, ora-bind() before it) *is* Oracle's parameterized query equivalent -- admittedly not quite as elegant, but no escaping required and is rock solid (i.e. no matter how crap [your] input filtering is SQL injection remains impossible!). - Mike Ford, Electronic Information Services Adviser, Learning Support Services, Learning Information Services, JG125, James Graham Building, Leeds Metropolitan University, Headingley Campus, LEEDS, LS6 3QS, United Kingdom Email: [EMAIL PROTECTED] Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 To view the terms under which this email is distributed, please go to http://disclaimer.leedsmet.ac.uk/email.htm
