[PHP-DB] mysql_escape_string()
The mysql_escape_string() function escapes ' (single quote) and (double quote) characters. When php recieves information data through a form, it automatically escapes these characters (tested with php 4.3.5). Once mysql_escape_string() recieves it, ' and have already been escaped. In essence, instead of escaping ' it's trying to escape \' which results in \\\'. However, once the data is actually inserted into the column, what shows up in the column is just '. But if I echo the variable, it shows up as being \\\' which I don't think is proper behavior. I also noticed mysql_escape_string() is only meant to escape binary data to be inserted. Consequently it does not escape all metacharacters as defined by the w3c. It would be nice to have a function that did escape all metacharacters that I could just call with $_POST as an arg and have it escape all the variables in $_POST. Something like this, but a builtin function function sql_escape($ESCAPE) { foreach($ESCAPE as $key=$val) { $ESCAPE[$key] = preg_replace('/([\;\`\\\|*?~^\(\)\[\]\{\}\$\n\r])/', \\ . \\$1, $ESCAPE[$key]); } } -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql_escape_string()
Jason Wong wrote: ... and is in no way related to metacharacters as defined by the w3c. If you are having a particular problem please elaborate. As pointed out by rain forest puppy http://www.wiretrip.net/rfp/txt/phrack55.txt All metacharacters as defined by the w3c should be escaped for security reasons. Whether it be an sql query or shell command. Even if you don't think a particular metacharacter could be used for sql injection techniques, someone will come along and prove you wrong eventually. Mysql will properly interpret all w3c metacharacters when escaped. I suspect the mysql folks understood the need for it too. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] mysql_escape_string()
Jason Wong wrote: But why do they say in the manual that only the backslash character, and the string quote character needs to be escaped? I've been able to inject sql queries into form fields that escape the backslash character and quote characters. http://www.securiteam.com/securityreviews/5KP0N1PC1W.html Is an example using / and * characters. Many times you can encode your data into some other form that gets past mysql_escape_string(). According to the documentation, mysql_escape_string() is _not_ meant to be used for security purposes. It's meant to be used to escape binary data so you can use it with insert statements. You can use it if you want, but you will be burned by it eventually. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php