Jump to content
Larry Ullman's Book Forums

Sql Injection


Recommended Posts

Hi Larry/everyone,

 

I came across this article: "Can You Hack Your Own Website?..."

http://net.tutsplus.com/tutorials/tools-and-tips/can-you-hack-your-own-site-a-look-at-some-essential-security-considerations/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nettuts+%28Nettuts%2B%29&utm_content=Google+Feedfetcher

 

 

To sanitize inputs, the author used not only "mysql_real_escape_string" but also the function "addcslashes". Specifically, the line of code (that would be added to the "escapedata()" function on page 56) is:

 

$string_b = addcslashes($string_i, "\x00\n\r\'\x1a\x3c\x3e\x25");

 

I was wondering your thoughts on this extra line of code; if it's necessary or not?

 

Thanks!

  • Upvote 1
Link to comment
Share on other sites

Hello Steve,

 

Thanks for your question. I looked at the article and I'll admit that there are a few points made in the article that I disagree with (e.g., the argument to use mysql_pconnect() or the failure to confirm that variables are set before referencing them). I also don't think the author convinced me of the merits of addcslashes() over mysql_real_escape_string(). The argument for mysql_real_escape_string() is twofold: first, it puts more functionality into the database, which is generally advised. Second, it performs the escaping in a way that's particular to the character set used by the database, so it's more particular and less generic than addcslashes(). Also, to be clear, the author isn't using addcslashes() AND mysql_real_escape_string() but rather addcslashes() INSTEAD OF mysql_real_escape_string().

 

To be clear, it's really a minor distinction between the two, but I prefer mysql_real_escape_string().

Link to comment
Share on other sites

Thanks!! I read it as the author was using *both* methods; thanks for clarifying. I did notice the mysql_pconnect, but wasn't going to question it (so, thanks for bringing that up, too).

 

Appreciated, as always!!

 

Steve

 

 

 

Hello Steve,

 

Thanks for your question. I looked at the article and I'll admit that there are a few points made in the article that I disagree with (e.g., the argument to use mysql_pconnect() or the failure to confirm that variables are set before referencing them). I also don't think the author convinced me of the merits of addcslashes() over mysql_real_escape_string(). The argument for mysql_real_escape_string() is twofold: first, it puts more functionality into the database, which is generally advised. Second, it performs the escaping in a way that's particular to the character set used by the database, so it's more particular and less generic than addcslashes(). Also, to be clear, the author isn't using addcslashes() AND mysql_real_escape_string() but rather addcslashes() INSTEAD OF mysql_real_escape_string().

 

To be clear, it's really a minor distinction between the two, but I prefer mysql_real_escape_string().

  • Upvote 1
Link to comment
Share on other sites

 Share

×
×
  • Create New...