[RESOLVED] php self guard!

Zpixel

I checked and saw that php itself put slashes in front of forbidden characters without using any extra functions. if so, why do we need to use addslashes or mysql_real_scape_string before any query?

suppose we need to use those functions before any query, can we use the code below in top of pages and make sure that anything will go well without any worry for sql-injection?

foreach($POST as $x => $y)
if($y!=mysql_real_scape_string($y))
$POST[$x]=mysql_real_scape_string($y);

foreach($POST as $x => $y)
$POST[$x]=mysql_real_scape_string($y);

the same code for GET variables works.
so in the rest of the program we can use $_POST without any worry.

could you check codes and check if it realy works?

NogDog

Read this:

magic quotes

Then modify your configuration and/or code accordingly.

bradgrafelman

As NogDog pointed out with the link to the manual, it's a feature that has been deprecated and removed from future versions of PHP, so that alone should give you enough reason to not want to use it.

If you need more convincing, note that [man]addslashes/man and magic_quotes_gpc should not be used for sanitizing data for SQL queries. [man]addslashes/man and [man]mysql_real_escape_string/man don't do the same thing (hence why they are two different functions) and only the latter will actually prepare the data properly. As the manual for [man]addslashes/man points out, you should always use a DBMS-specific sanitizing function and only resort to [man]addslashes/man if you have to.

Zpixel

yes thanks. in localhost i think magic quotes is on.

whether it is enabled or not, is it agreeable to use the code bellow in top of pages and leave the rest of the page without any real_scape function? i think it works but i want to make sure.

foreach($POST as $x => $y)
$POST[$x]=mysql_real_scape_string($y);

now for example:
$name=$_POST['name']; //without repeating of real_scape function
do_query....

bradgrafelman

As the manual explains, the problem with code like that is that you don't always want to escape everything. Plus, doing so destroys data integrity.

If you later echo() something that was POST'ed, it will be escaped, resulting in things such as "Hello Mr. O\'Reilly!". Plus, that code doesn't take into consideration if magic_quotes_gpc is enabled or not thus running the risk of double escaping the data.

Basically, I only escape the data as I'm putting it into a SQL query. Quick example:

$query = sprintf("SELECT col1 FROM users WHERE userid = &#37;d OR username = '%s'",
    $_POST['id'],
    mysql_real_escape_string($_POST['name'])
);

Note that in my above example, if you were to simply use [man]mysql_real_escape_string/man on $_POST['id'] then you would still run the risk of your query being altered slightly - that's why I forced the numeric data to be a numeric type (in this case using sprintf() - other times I'll just cast it to an (int)).

NogDog

Zpixel;10914417 wrote:
yes thanks. in localhost i think magic quotes is on.

whether it is enabled or not, is it agreeable to use the code bellow in top of pages and leave the rest of the page without any real_scape function? i think it works but i want to make sure.

foreach($POST as $x => $y)
$POST[$x]=mysql_real_scape_string($y);

now for example:
$name=$_POST['name']; //without repeating of real_scape function
do_query....

Probably better would be to save it to a separately named array. This will make it clear that the data in that array has been escaped for use in DB queries. Also, you may need to use a recursive function for cases where your $_POST array will be multi-dimensional. E.g.:

<?php
// code from manual to undo magic_quotes if needed:
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

    return $value;
}

$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}

// you could use this to escape your form data:
function escape_deep($value)
{
   $value = is_array($value) ?
         array_map('escape_deep', $value) :
         mysql_real_escape_string($value);
   return $value;
}
$db_post_data = $_POST;
// make sure mysql connection is done before this is called:
array_map('escape_deep', $db_post_data);

// now you can use escaped data as needed:
$sql = "SELECT * FROM table_name WHERE something='".$db_post_data['name']."'";
?>

Zpixel

you don't apply real_scape on a string like ("Hello Mr. O'Reilly!".) if you want to save it in a db?

what is the story about magic_quotes_gpc and mysql_real_escape_string? i've been searching for the reason. if magic_quotes_gpc is off, mysql_real_escape_string has a risk to use?

i always think to simplicity when writing php code. can we revise the code bellow in 5 lines? considering there is no multidimensional array or anything else like that.

i just like to know how to blend magic_quotes_gpc & mysql_real_escape_string in this code:

foreach($POST as $x => $y)
$POST[$x]=mysql_real_scape_string($y);

ofcours stripslashes will be used when retrieving data(only for those inputs that any normal use of quotes is expected such as the example sentence above).

NogDog

Zpixel;10914434 wrote:
you don't apply real_scape on a string like ("Hello Mr. O'Reilly!".) if you want to save it in a db?

Not real sure what you're asking here, but you need to apply the appropriate escaping mechanism to any external string data being used in a query.

what is the story about magic_quotes_gpc and mysql_real_escape_string? i've been searching for the reason. if magic_quotes_gpc is off, mysql_real_escape_string has a risk to use?

The escaping done by magic_quotes_gpc is not necessarily correct or complete for any given DBMS. Therefore if you depend on it, SQL injection may still occur. But if you use the correct escaping mechanism on top of magic_quotes_gpc without first undoing its "damage", then you end up "double-escaping" and getting unwanted back-slashes in the actual database data.

i always think to simplicity when writing php code. can we revise the code bellow in 5 lines? considering there is no multidimensional array or anything else like that.

i just like to know how to blend magic_quotes_gpc & mysql_real_escape_string in this code:

foreach($POST as $x => $y)
$POST[$x]=mysql_real_scape_string($y);

ofcours stripslashes will be used when retrieving data(only for those inputs that any normal use of quotes is expected such as the example sentence above).

You should not have to use stripslashes() when pulling data out of the database, since the escaping back-slashes are not actually saved in the database. If you are seeing them, then it's probably because of what I just described above: doing something like using mysql_real_escape_string() on data that was already escaped by magic_quotes_gpc(), so that the escape_string ends up escaping the back-slashes added by magic_quotes.

Zpixel

if (get_magic_quotes_gpc()) {
foreach($POST as $x => $y)
$POST[$x]=stripslashes($y);
}
foreach($POST as $x => $y)
$POST[$x]=mysql_real_scape_string($y);

is there anything more safe than above?
what about _ and % characters? should they be considerd and how?

NogDog

Zpixel;10914442 wrote:
if (get_magic_quotes_gpc()) {
foreach($POST as $x => $y)
$POST[$x]=stripslashes($y);
}
foreach($POST as $x => $y)
$POST[$x]=mysql_real_scape_string($y);

is there anything more safe than above?
what about _ and % characters? should they be considerd and how?

With regard to preventing SQL injection issues, that should work for a mysql DB extension environment. However, should you have any array type form fields, it would need to be amended into some sort of recursive function to handle the multiple array dimensions. It could also be an issue if you do not, in fact, use every form field in, and only in, database queries; as in other uses you might have to use stripslashes() to undo the escaping; so it could be a situational thing you need to keep aware of. (Or you could just use my earlier suggestion of filtering/escaping the $POST data into a separately named array, though that might require some additional handling if your code depends on the "super-global" aspect of $POST).

bradgrafelman

Zpixel wrote:
you don't apply real_scape on a string like ("Hello Mr. O'Reilly!".) if you want to save it in a db?

Yes, you do. But if you apply the escaping to the $_POST array instead of a copy of it, then you're losing the only copy of the original string you have. If you later print that data, then it's going to have the backslashes in it from when you escaped it for the database. That's why NogDog suggested making a separate array to be used with SQL queries.

Zpixel wrote:
i always think to simplicity when writing php code.

So do a lot of other programmers out there. Unfortunately, the are a lot of web applications that have a high degree of simplicity but a very low degree of security. I suppose there's a certain trade-off; do you want to write 3 lines of code and risk losing your data, or do you want to research security measures and instead write 10? Once you get the hang of it, it'll (hopefully) become second nature to you, though.

Zpixel wrote:
what about _ and % characters? should they be considered and how?

What about them? For MySQL, they only have special meaning when used with a LIKE comparison. If you don't want the user to be able to search with these wildcards, you could do a [man]str_replace/man and manually filter them out whenever you plan to do a LIKE comparison, though there's not really any danger in not doing this.

Zpixel

as NogDog said it is nearly enough. and as you said $_POST will be alterd. so let me

if (get_magic_quotes_gpc()) {
foreach($POST as $x => $y)
$POST[$x]=stripslashes($y);
}
foreach($POST as $x => $y)
$POST[$x]=mysql_real_scape_string($y);
$copy=$POST;

isn't it better than writing mysql_real_scape_string everywhere in code?

bradgrafelman

The code you posted above won't help because what you do is alter $POST and then copy it after you're done. What you could do instead is replace $POST[$x] in the last loop with $_copy[$x] so that the escaped values are inserted into a new array.

Zpixel wrote:
isn't it better than writing mysql_real_scape_string everywhere in code?

I suppose that's a matter of personal preference; for me, I hardly ever create temporary arrays to begin with. I just use [man]sprintf/man to build the SQL query strings and escape the data as I go.

I should say that's what I'm doing on existing projects; for new projects, I'm hoping to start fresh and use something like [man]PDO[/man] and use prepared statements (eliminating the need to escape data).

Zpixel

thank you.