When I send ");--
from an input field to my localhost PHP server, it AUTOMATICALLY converts it to
\");--
It seems great, except that I don't know how trustworthy this behavior is. Although it seems to avoid SQL injections, my development environment is not the same as the production environment and I'm afraid that the production environment may not have this sort of protection automatically activated...
Why does PHP does this(convert the input without having to use mysql_real_escape_string
)? Does it always do it or only with certain extensions? Is it safe to rely on this behavior to prevent SQL injections?
-
It seems that you have Magic Quotes enabled. But you better disable this option or revert them.
mysql_real_escape_string
is more secure.luiscubal : Yes, I had heard about them, but I never knew exactly what they were. I felt unsafe since I didn't know exactly what was going on. That's why I asked this. I'm going to turn it off so I can get control over my server again.Gumbo : I recommend you to read one of the questions here on SO that explain why Magic Quotes are bad practice and show the difference between Magic Quotes and `mysql_real_escape_string()`.troelskn : Actually, if you have the option, use prepared statements instead of escaping data.luiscubal : I'm not sure my server supports them, but I'll remember that name. The concept seems interesting, but doesn't seem to magically remove the injection threat - mysql_real_escape_string still seems to be needed.troelskn : PDO has prepared statements. That has been standard from version 5.1. You don't use explicit escaping (mysql_real_escape_string) when you use prepared statements. -
This "feature" of PHP is known as "magic quotes". As 'magic' as they may be, it is extremely bad practice to use them, as they do little more than give a false sense of security. Thankfully they have been removed from PHP 6 (in development).
A more detailed list of criticisms can be found in this Wikipedia article.
The PHP manual describes various ways to disable magic quotes.
-
You might want to get into talking to the database using an abstraction layer like Zend_Db. For example, if you create a select statement by instantiating a Zend_Db_Select, it would look like this:
//$_GET['thing'] is automatically escaped $select = $zdb->select()->from('things')->where('name = ?',$_GET['thing']); $result = $zdb->fetchRow($select->__toString());//__toString generates a really pretty, vendor independent query //a plain vanilla query would look like this: $result = $zdb->fetchRow('select * from things where name = ?', $zdb->quote($_GET['thing']);
: The abstraction layer is a really good idea. -
You have Magic Quotes turned on. The PHP group officially deprecated this function strongly, and strongly discourages relying on it. Ways to disable magic quotes at runtime don't always work, weather you use
.htaccess
orini_set()
in the script. Calling stripslashes all the time can also become pretty messy.More details: http://ca3.php.net/magic_quotes
0 comments:
Post a Comment