0

I'm working on an old system that has multiple SQL injection risks. In order to prevent this problem all together I want to escape all $_POST and $_GET data. The problem is that the script itself also escapes. Now I'm wondering if it's possible to detect if a string has already been escaped.

Any other solutions are also welcome.

Thanks!

Jeffrey
  • 1,985
  • 1
  • 12
  • 21
  • The simple answer would be to find/remove all instances of `mysql_real_escape_string()` in the script(s) and `array_map()` it at the top of the script - but you probably don't want to do this, it will break anything like `if ($_GET['something'] == "A string with a single ' quote in it")` and you may end up with odd output if you `echo $_GET['something']` anywhere. The right way to do this would be to find all instances of `mysql_query()` and make sure they are escaped properly. It may be time consuming but it will save headaches in the long run. Better yet, port it to PDO. – DaveRandom Apr 24 '12 at 11:11

1 Answers1

2

Too bad, you will get no protection anyway.
Because, despite of the wide misbelief of the php folks,

Escaping != protection

In fact, you are about to implement a home-brewed equivalent of the notorious magic_quotes feature which proved to be non efficient to protect from injections.

So, you'll end up with some of your data double escaped and other data still unsafe despite of escaping (because escaping != safety)

Unfortunately, such a "magic wand"-style solutions NEVER work.
You have to refactor your code, protecting certain queries. that's the only way.

Remember - escaping is not a synonym for the protection. It is only part of the whole set of rules

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345