Re: SQL injection and PHP/MYSQL

["Brad Fults" <brad () mipscomputation com>]

After using mysql_escape string to insert data into the database, is there
an equal combination of unescaping one should do when the date is pulled
from the database, or is a stripslashes() all that is necessary?

----- Original Message ----- 
From: "shimi" <shimi () shimi net>
To: "Robert Buljevic" <skeptic () s1c org>
Cc: <webappsec () securityfocus com>
Sent: Tuesday, September 09, 2003 2:10 PM
Subject: Re: SQL injection and PHP/MYSQL


> Uhm: http://php.net/mysql-escape-string
>
> On Tue, 9 Sep 2003, Robert Buljevic wrote:
>
> > I'm well aware of the sql injection problem when accepting non-trusted
data.
> > However, I'm interested in a more concrete example, precisely the
PHP/MySQL
> > combination.
> >
> > Suppose I have some input text that's passed to mysql for searching via
http
> > get request.
> > What characters should I allow/disallow?
> > And is it enough to use PHP's addslashes function? If not, why? Could
you
> > provide any example of input that could cause injection even if it's
> > slashed - always referring to the particular case of PHP/MYSQL?
> >
> > Any info would be appreciated... Thanks!
> >
> > Robert Buljevic
>
> -- 
>
>   Best regards,
>      Shimi
>
> ----
>
>    "Outlook is a massive flaming horrid blatant security violation, which
>     also happens to be a mail reader."
>
>    -=The best way to accelerate a Windows machine is at 9.81 m/s^2=-
>
>    "Sure UNIX is user friendly; it's just picky about who its friends
are."
>