SQL Injection...

daredevil14

I am trying to figure out how to use the : mysql_real_escape_string() function... i am trying this example, and btw i tried to reduce as many php codes as i can ( so suppose that there's really a connection on, and the get_magic_quotes_gpc() is enabled... )

<form method="post" action="<?php $_SERVER["PHP_SELF"];?>" />
<input type="text" name="name" />
<input type="submit" name="submit" />
</form>

<?php

if ( $_POST["submit"] )

{

$conn = mysql_connect("localhost","root",""); 
mysql_select_db("injections", $conn);

$name = mysql_real_escape_string(stripslashes($_POST["name"]), $conn);
$sql = "INSERT INTO tbl (`name`) VALUES ('$name')";
mysql_query($sql, $conn);

}

?>

I get an error message saying that : mysql_real_escape_string() function is undefined... any help ?

NogDog

First, make sure you have no spelling mistakes in the actual code. (I say this since the function name is misspelled in the error message your reported in your post.) If that's not it, then make sure your mysql_connect() is working. (E.g.: make sure that $conn does not equal false after the command is run.) If the connection fails, then mysql_real_escape_string() will not work. If that is not the issue, try the following to see if for some strange reason the function has been disabled:

<?php
echo ini_get('disable_functions');

daredevil14

Well it is not the misspelling of course ( just forgot the l of mysql ), and it is not a connection issue since i already tested the connectivity to the database server and it was running normally... so it is up with that line where the mysql_real_escape_string function is because when i remove this line, everything works !!...

besides where do i insert your code ? I inserted it into an "IF" statement - return true if it is on, and false if off... it returned false... so ?

NogDog

Simplest thing would be to put that ini_get() code in a separate file. The intent is just to see if anything is specified for it in your PHP configuration settings.

bradgrafelman

Also, do a phpinfo() and let us know:

The version of PHP your server is running
If you see a "mysql" table

daredevil14

Ok, i had the 4th version of PHP and it wasn't working, so I upgraded to PHP 5, and well it is working, not giving an error, just working ( the SQL statement is done successfuly )... now let me ask some questions...

*How can i test the mysql_real_escape_string() to know its effect and its main solution of SQL injections ?

*I used the following script :

$name = mysql_real_escape_string(stripslashes($_POST["name"]), $conn);

so what's up with the stripslashes() function ? what's it all about ? do i have to always use it with mysql_real_escape_string() ?

*How does really the mysql_real_escape_string() function protects from SQL injections ? what's its main job ?

*Is it sufficient to use the mysql_real_escape_string() function only to protect from SQL injenctions ? does it provide an acceptable security level ?

*What about the regular expressions & filters ( stuffs like ^, [a-z]... ) ? should they be used with the mysql_real_escape_string() function ?

Regards

bradgrafelman

If you're using PHP5, you might consider using the [man]PDO[/man] extension as its drivers do all of the injection-prevention for you (as well as providing more functionality than the older, deprecated [man]MySQL[/man] extension). As for your questions...

daredevil14 wrote:
so what's up with the stripslashes() function ? what's it all about ? do i have to always use it with mysql_real_escape_string() ?

Simply put, you should never have to use stripslashes() in combination with mysql_real_escape_string(). The only time you would need to do so is if magic_quotes_gpc is enabled, in which case you'd do something like:

if(get_magic_quotes_gpc()) {
    $var = mysql_real_escape_string(stripslashes($_POST['var']));
} else {
    $var = mysql_real_escape_string($_POST['var']);
}

While the above code snippet would maintain the portability of your script, you should make every effort to ensure that magic_quotes_gpc is disabled on your server.

daredevil14 wrote:
How can i test the mysql_real_escape_string() to know its effect and its main solution of SQL injections ?

I don't know what you mean by "test"... as the manual for [man]mysql_real_escape_string/man explains, the function simply prepends certain characters that would normally cause problems in a SQL query with a backslash so that their special meanings are canceled (e.g. a single quote is prepended with a backslash to prevent SQL injections - malicious users can't escape out of a string and add their own commands into the SQL query).

daredevil14 wrote:
*Is it sufficient to use the mysql_real_escape_string() function only to protect from SQL injenctions ? does it provide an acceptable security level ?

For SQL injection prevention alone, yes, it will stop users from altering your query.

There are also other methods of preventing SQL injection, e.g. validating the type of data. For example, if you're expecting a variable $_GET['user_id'] to be a number, you can either cast it to an integer, use [man]intval[/man], use '%d' in a [man]sprintf/man format string, etc. Such measures negate the need to use [man]mysql_real_escape_string/man.

daredevil14 wrote:
*What about the regular expressions & filters ( stuffs like ^, [a-z]... ) ? should they be used with the mysql_real_escape_string() function ?

Regexp patterns should have nothing to do with SQL injection prevention. Instead, you should be using regexp pattersn to verify the format (or type) of the data (e.g. ensure that it begins with a letter, is between 3-16 characters long, etc. etc.).

In other words, yes, you can of course use regexp's if you want to verify that the data is in the correct format. Using it to prevent SQL injection, however, is overkill, inefficient, and completely unnecessary.

daredevil14

bradgrafelman wrote:
I don't know what you mean by "test"... as the manual for [man]mysql_real_escape_string/man explains, the function simply prepends certain characters that would normally cause problems in a SQL query with a backslash so that their special meanings are canceled (e.g. a single quote is prepended with a backslash to prevent SQL injections - malicious users can't escape out of a string and add their own commands into the SQL query).

Well, the magic quotes are OFF, so the thing is that i don't see the difference between using : mysql_real_escape_string() function and not using it...

*I used it, i tried to insert : 'something' into the db, i went to the db and saw the value the same as it was inserted : 'something' why? why didn't i find the supposed to be added slashs ???

*then i went to the SQL query and added 2 slashes so it became :

.... values ('/$name/') ....

it's the same, it outputs : /name/ ( with the slashes ) why is that ?

bradgrafelman

daredevil14 wrote:
'something' why? why didn't i find the supposed to be added slashs ???

Because you're not supposed to; it simply prevents the query itself from being broken.

Example: Say you have a query that looks like...

$query = "INSERT INTO myTable (col1) VALUES ('" . $_POST['foo'] . "')";

and let's also suppose that magic_quotes_gpc is OFF (as it should be). If I entered a value of This isn't broken! into the form and submitted it, the query would then look like:

INSERT INTO myTable (col1) VALUES ('This isn't broken!')

Notice the problem? The single quote in the POST'ed data will break the query. Using [man]mysql_real_escape_string/man adds a slash to that quote, however, so that the query will then read:

INSERT INTO myTable (col1) VALUES ('This isn\'t broken!')

The backslash behaves exactly as it would for a string in PHP; the single quote is "escaped" and thus doesn't end the string (as it did in the first query) and is understood by SQL to be a literal single quote in the string.

daredevil14 wrote:
it's the same, it outputs : /name/ ( with the slashes ) why is that ?

Well, I believe my above explanation covers this, but note that forward slashes don't have any special meaning, thus the use of [man]mysql_real_escape_string/man wouldn't apply here.