PDA

View Full Version : mysql_real_escape_query, need help understanding


gavimobile
10-01-2008, 03:35 PM
so mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

so how is adding slashes going to make my script secure.
and why dont i just do $_POST[\'test\']? wouldnt that do the same thing?

i have a login script which i have made before i started using mysql_real_escape_string and i tried logging in with '' 'or' '1' '=' and other commands, but i cant seem to get inside my own (unsecured) login without a username and password which i have created in my database.
now i have created a new login script which does use mysql_real_escape_string, and i cant get in this one either.

im not understanding the danger of sql injection, except if someone deleted or edits records from the database.


This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

how does adding slashes make data safe?
how does adding a \ infront of \n make the script more secure?

what is the exact meaning of escape?

ive been pondering on this for a while already...

tia

davidj
10-01-2008, 05:14 PM
by adding slashes you are protecting yourself from SQL Injection

gavimobile
10-01-2008, 06:49 PM
by adding slashes you are protecting yourself from SQL Injection
dj, that doesnt answer the question

so why dont people just add the slashes on their own?
like my example $_POST[\'test\']
???

davidj
10-02-2008, 05:47 AM
you are missing the point...


$_POST[\'test\']


$_POST is an Array and ['test'] is one key of the Array

you don't escape quotes in array keys as they are not passed onto your SQL query. They are part of your syntax and not user input.

gavimobile
10-02-2008, 11:37 AM
you are missing the point...


$_POST[\'test\']
$_POST is an Array and ['test'] is one key of the Array

you don't escape quotes in array keys as they are not passed onto your SQL query. They are part of your syntax and not user input.

so by just using mysql_real_escape_string im totally secure?
what are these filters that people are using? are they more secure?

thanks
gavimobile

davidj
10-02-2008, 01:26 PM
what are these filters that people are using? are they more secure?

what filters

gavimobile
10-02-2008, 08:42 PM
what filters
i think -> or => are filter.. let me do some more research b4 i repost!

davidj
10-02-2008, 08:49 PM
that looks like OOP or an array assignment

gavimobile
10-03-2008, 03:06 AM
do i still get my lesson in sql injection ;-)
THREAD CLOSED

2bz2p
10-08-2008, 06:17 PM
Hi,

So I can not find my posted question on sql injections, but here is how I understand it.

If you have a user input feild and you catch your data using $_post

A user puts in a command code (uknown to me) using say quotes they can then interupt your code and create the sequence of events they want.

so when you say
user input is $mycode = 'true'; <- whatever injection code it is
$user_input = $_post['ui'];

this will enter in it will show in the db as 'sql_injection'; (i think but whatever for this purpose)

when you use
user input is 'sql_injection';
$user_input = addslashes($_post['ui']);

it will get entered as /'sql_injection/'/; which makes the syntax inoperable.

the use the removeslashes (<- not sure if that is correct) to out put it without the slashes though the DB will see the slashes.

Hope that makes sense.
2b

gavimobile
10-10-2008, 07:39 PM
Hi,

So I can not find my posted question on sql injections, but here is how I understand it.

If you have a user input feild and you catch your data using $_post

A user puts in a command code (uknown to me) using say quotes they can then interupt your code and create the sequence of events they want.

so when you say
user input is $mycode = 'true'; <- whatever injection code it is
$user_input = $_post['ui'];this will enter in it will show in the db as 'sql_injection'; (i think but whatever for this purpose)

when you use
user input is 'sql_injection';
$user_input = addslashes($_post['ui']);it will get entered as /'sql_injection/'/; which makes the syntax inoperable.

the use the removeslashes (<- not sure if that is correct) to out put it without the slashes though the DB will see the slashes.

Hope that makes sense.
2b

good explanation! thanks so much... I still think i need to review it a bit more!

davidj
10-10-2008, 09:03 PM
if you used windows we could have has a team meeting and i would have demo'd it for you

shame.

gavimobile
10-11-2008, 12:02 AM
if you used windows we could have has a team meeting and i would have demo'd it for you

shame.

dj, i learned my lession once from pming you with msn!
regarding the windows, i have another computer ready with xp!!

take care

davidj
10-11-2008, 12:10 AM
ok

let me know when you have some time

2bz2p
10-11-2008, 12:21 AM
If I am on MSN when yall do this and I can see via Team please let me know.

Thanks
2b