6

I'm passing some simple user data into a mysql database.

PHP's urlencode() Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits.

I'm not worried about the spaces turning into plus's, or other formatting issues. Neither am I worried about XSS and other HTML hacks.

I believe I should be safe from ' and ) style attacks.

QUESTION: Are there other kinds of sql attacks that could be used with - or _ or . ?

EXAMPLE:

mysql_query("UPDATE cars SET color = '".urlencode($c)."' WHERE garage = 29");

Thankyou in advance

BoltClock
  • 700,868
  • 160
  • 1,392
  • 1,356
Chris
  • 61
  • 1
  • 2

4 Answers4

11

urlencode() has nothing to do with SQL, so it does as much to prevent SQL injection as kerosene does to make your burgers more delicious. Besides, everything that enters your database will end up URL encoded, which you then have to decode if you want to do anything useful with them after retrieving the database.

Escaping your queries, on the other hand, helps your application to guard against SQL injection, and nothing more. It does not modify the data you enter into your queries; it only protects your queries from being tampered with. That's the idea of SQL injection, and it's also why URL encoding your data doesn't do anything to protect against it. Granted, it does turn your apostrophes ' into %27, rendering them harmless, but as mentioned in the above paragraph, you'll have to URL decode them back into apostrophes in order to use them.

Use the right tool for the right purpose. Especially in the year 2011, you should be using prepared statements instead of manually escaping your query variables and concatenating strings to form queries.

BoltClock
  • 700,868
  • 160
  • 1,392
  • 1,356
  • 1
    like this : kerosene does to make your burgers more delicious. :) – xkeshav Feb 15 '11 at 06:00
  • 2
    I understand that for most people you would wish that information to be passed on. But my question was more simple. The question is. if the only existing non alpha is . _ and -, how can any sql statements be injected with the simple code example above? Do u know of any attacks that use only those characters and alpha? As i said, im not worried about formatting, in fact it suits my purposes to have them urlencoded format as i pass them around between webpages. – Chris Feb 15 '11 at 06:27
  • @Chris: If you want to URL encode them for your application to use, that is fine, but do not rely on it to protect your queries from injection. As my last paragraph says, use the right tool for the right job. You should either use the dedicated `mysql_real_escape_string()` function or use prepared statements to really protect against SQL injection attacks. – BoltClock Feb 15 '11 at 07:56
9

No. It is actually dangerous to use url encoding for SQL injection protection.

  1. URL encoding is percent encoding. And % chars in SQL have special meaning in many databases. Example: LIKE clauses. Allowing % chars in dynamic SQL will still lead to problems.
  2. There is a risk that intermediate (web) servers might automatically url decode. Apache might do this.
karthik
  • 91
  • 1
  • 1
2

I don't think that urlencode alone will be good enough to stop sql injection. You will have to use atleast mysql_real_escape_string or prepared statements from PDO..

Nik
  • 4,015
  • 3
  • 20
  • 16
0

Use PDO and paramaterized queries.

Stephen
  • 18,597
  • 4
  • 32
  • 33