1

I don't know if this is a good question or not but it is something that got me into a lot of doubt today. So I was using a PHP function to basically save time and escape values like we used to do with mysql_real_escape() before but I was told that doing this is actually dangerous, this is what I was doing:

function mysql_string_safe($stringtoclean)
{
    $safestring = mysqli_real_escape_string($GLOBALS['confDBLink'],$stringtoclean);
    return $safestring;
}

I now have the doubt.. How doing any of this can actually be unsafe? Since all I'm doing is sending a value to the function to then escape it in mysqli_real_escape_string? (and then returned of course) So when I actually want to escape a value I would be doing the following: mysql_string_safe($valuetoescape); I really wanted to know, not only because of the doubt but to also know, because if this is really dangerous as I was told, then I'll remove this from my applications as well. Thank you very much for your time.

Ignacio Belhot Colistro
  • 339
  • 1
  • 13

3 Answers3

4

There's nothing unsafe per se, but using prepared statements/binding values is preferred over escaping inputs explicitly. The latter is potentially unsafe for a couple reasons:

  • You may forget to escape an input
  • You may accidentally escape the same input twice
Explosion Pills
  • 188,624
  • 52
  • 326
  • 405
  • Also `mysql_real_escape_string()` has been found to have exploitable bugs in the past (e.g. with multibyte character sets); relying upon string escaping is unsound as other such bugs could always exist in the future. As you say, parameterised statements are safer because the RDBMS does not parse one's variables for SQL so even specially crafted values cannot result in SQL injection. – eggyal Oct 30 '12 at 23:04
  • 1
    @eggyal he's using `mysqli`, not `mysql` – Explosion Pills Oct 30 '12 at 23:07
1

I'm willing to be that whoever told you this wasn't referring to the fact that you had a function that called mysql_real_escape_string() but rather to the fact that you were using the mysql_* functions at all. You may have seen a variation of this message around which explains why you shouldn't use those functions:

Please, don't use mysql_* functions in new code. They are no longer maintained and the deprecation process has begun on it. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Zoe
  • 27,060
  • 21
  • 118
  • 148
SomeKittens
  • 38,868
  • 19
  • 114
  • 143
0

Depending on how much of your system is already using mysqli, I would make the switch to PDO:

$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->bindValue(':username', $_POST['username']);
$stmt->execute();

$row = $stmt->fetch();

By binding the values as shown, PDO handles the escaping of characters for you. This is generally considered the improved way of interacting with a database with PHP, you can read about it here: http://php.net/manual/en/book.pdo.php

I know this doesn't strictly answer your question, I think this is a case where a different solution altogether might be useful.

Flosculus
  • 6,880
  • 3
  • 18
  • 42