Escaping quotation marks php and mysql

Question

Possible Duplicate:
Best way to prevent SQL Injection in PHP

I escape quotation marks via addslashes($str).

When i save the input from text fields to a MySQL database, is that a sufficient protection against MySQL injections or do I need to filter the input further because you can bypass this escape method? Or is there any better way to do this?

See also: http://stackoverflow.com/questions/5414731/are-mysql-real-escape-string-and-mysql-escape-string-sufficient-for-app-secu — Chris C, Jul 18 '12 at 18:34
No, it is awful. See the duplicate questions for the correct way to do it. — Quentin, Jul 18 '12 at 18:35

score 2 · Answer 1 · answered Jul 18 '12 at 18:34

2

You should read about prepared statements in PDO: http://www.php.net/manual/en/pdo.prepared-statements.php

answered Jul 18 '12 at 18:34

mdziekon

3,531
3
22
32

score 1 · Answer 2 · answered Jul 18 '12 at 18:35

1

Escaping quotes is definitely not enough. The safest thing to do is to use parameter binding. See the docs for mysqli_stmt::bind_param.

answered Jul 18 '12 at 18:35

Ted Hopp

232,168
48
399
521

score 0 · Answer 3 · answered Jul 18 '12 at 18:39

Yes, there is. You can check all parameters for any of the following things, depending on expected values:

Is the value of the variable something meaningful?
Is the value of the variable within a reasonable value range?
Is the value of the variable inside a predefined maximum length?

Those are some elementary checks that can save you a lot of trouble. Also, to avoid more problems:

Always filter file uploads, and never execute anything uploaded.
Never, ever execute SQL or evaluate code that has a direct part of user input. Always parse your inputs first, so that you are certain it does not contain any abnormalities.

score -1 · Answer 4 · answered Jul 18 '12 at 18:34

-1

You can do excaping like this:

<?php  
    $query = mysql_query("SELECT id FROM users WHERE username =   '".mysql_real_escape_string($username)."' AND password = '".mysql_real_escape_string($password)."'");  
?>

answered Jul 18 '12 at 18:34

Jordizle

252
1
5

1

Please do not recommend functions that the PHP manual puts a big red "Do not use" notice on. – Quentin Jul 18 '12 at 18:36
1

also plain text passwords? wtf? – rook Jul 18 '12 at 19:37

score -1 · Answer 5 · answered Jul 18 '12 at 18:35

-1

I would suggest using mysql_real_escape_string or similar function (depending on what DB access methodology you are using).

answered Jul 18 '12 at 18:35

Mike Brant

70,514
10
99
103

Building queries by mashing together strings leaves too much room for error. Use bound parameters. That function also comes with a big red "use something else" alert in the PHP manual. – Quentin Jul 18 '12 at 18:37
1

Yes, but many people do not necessarily want to use some database abstraction layer or want the additional overhead that prepared statements may bring for cases where you are only doing single data inserts (as opposed to performing the same query multiple times with different data where prepared statements really shine performance-wise). Also some users may not have MYSQLi extension available on their server or the ability/know how to install it. – Mike Brant Jul 18 '12 at 18:42

Escaping quotation marks php and mysql

5 Answers5