WebApp Sec mailing list archives
Re: SQL injection and PHP/MYSQL
From: "Sverre H. Huseby" <shh () thathost com>
Date: Wed, 10 Sep 2003 23:11:13 +0200
[Brad Fults] | After using mysql_escape string to insert data into the database, | is there an equal combination of unescaping one should do when the | date is pulled from the database, or is a stripslashes() all that | is necessary? You shouldn't need to do anything when fetching data from the database. The slashes are not part of what gets stored in the tables. Slashes are not added for the database storage itself, but for the SQL parser in front of it. When you pass the following SQL string constant 'O\'Connor' to the SQL parser, the parser will scan the string constant (between the outermost single quotes) character by character and decide what to do. When it reaches the backslash, it thinks: "Lemme see... the user has passed an escape character. That means I'm not gonna treat the following character as something special, but just as a plain character. Aha! The next character is a single quote! If it wasn't for that backslash, I would have terminated the string right here, but now I know better. The string continues." The parser understands that what you actually want to store is the following: O'Connor and that's what is put in the table. When you read it out, you will get just that. If you start to remove slashes, it will be all wrong: Say that you tell the SQL parser to store 'C:\\AUTOEXEC.BAT' What is stored in the database, is C:\AUTOEXEC.BAT If you use stripslashes after reading this value, you will end up with C:AUTOEXEC.BAT which is probably not what you want. Hope this helps a little bit. Sverre. PS: After reading the data from the database, you will probably do something with it. Depending on what you want to do, you may need to add some slashes again, or do other metacharacter handling. E.g. htmlspecialchars if you want to include the data in a web page. -- shh () thathost com http://shh.thathost.com/
Current thread:
- SQL injection and PHP/MYSQL Robert Buljevic (Sep 09)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 09)
- Re: SQL injection and PHP/MYSQL Bill Pennington (Sep 09)
- Re: SQL injection and PHP/MYSQL Denis Arh (Sep 09)
- Re: SQL injection and PHP/MYSQL shimi (Sep 09)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- Re: SQL injection and PHP/MYSQL Jan Pieter Kunst (Sep 10)
- Re: SQL injection and PHP/MYSQL Sverre H. Huseby (Sep 10)
- Re: SQL injection and PHP/MYSQL Brad Fults (Sep 10)
- <Possible follow-ups>
- RE: SQL injection and PHP/MYSQL Keifer, Trey (Sep 09)