NYCPHP Meetup

NYPHP.org

[nycphp-talk] un-escape db content using php or ADOdb functions

Eugenio Tacchini eugenio.tacchini at gmail.com
Wed May 2 14:20:34 EDT 2012


2012/5/2 Rob Marscher <rmarscher at beaffinitive.com>:
>
> On May 2, 2012, at 1:08 PM, Eugenio Tacchini wrote:
>> Now, I'm wondering if the DB specific escape functions really give
>> additional values respect to addslashes.
>
> Chris Shiflett's article from 2006 had the best argument I've seen on why addslashes is not enough to secure your code.
> http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

I was following a discussion on stackoverflow and I actually ended up
reading exactly that article. I think it's a very good article and
yes, he explained the advantage of using mysql-real-escape-string.
However, like most of the examples on sql injections I have read, it
focus on a user authentication query which (at least the way I use to
code) I don't think could be affected. Maybe I'm wrong but when I
execute a query looking for a user, I always check if the result is
just one row (as expected), if not I produce an error.
I am sure there are other examples in which the use of addslashes
would be dangerous though.

> Keep a copy of your unescaped data.  Escape it for inserting into the database.  Then take the original unescaped data and do what else you need with it.  If you're ouputting to html, you need to run something like the following on each variable you output:
>
> echo htmlspecialchars((string) $var, ENT_QUOTES, 'UTF-8');

Yes, I know this is the best practice but changing an old application
is not easy so I was trying to find something having less code impact.

Cheers,

------------------
Eugenio Tacchini

dadabik.org DaDaBIK database front-end



More information about the talk mailing list