Add directory path to database

Question

Possible Duplicate:
Best way to prevent SQL injection?

I am making a file system where users only can indicate where the files are and its not supposed to upload, just to capture the file name using javascript and an input file type.

The problem is when I it executes the query to insert... the path for the file is this:

C:\users\files\test.php

The problem here is the \ character because it ommits the next character in PHP. So its saved as: C:usersfilestest.php in the database.

I have another inputbox where users specif where they want the files... so whe they write:

C:\ the query does not execute because the \ character.

Any thoughts?

What you describe is a low-level form of SQL injection. Prevent it, because this signals **a serious problem** you have: [Best way to prevent SQL injection?](http://stackoverflow.com/q/60174/367456) — hakre, Nov 09 '12 at 16:07
Thank you, This is a system to be used within the company(intranet) It will not be public. but I will take a look to the post to increase security.Thanks — user1812695, Nov 09 '12 at 16:20
@user1812695 — It doesn't matter that it isn't public. Employees can be disgruntled. They can be subject to social engineering based attacks (Just paste this into your address bar!). They can make mistakes. They can enter perfectly good data that contains special characters and causes the SQL to break. — Quentin, Nov 09 '12 at 16:25
And security is not only about if there is evil or not (or evil was intended). Security also stands for that a systems does what it has to do in a stable manner. Having SQL injection is causing side-effects like in your case. Always prevent them. Do never look for excuses. — hakre, Nov 09 '12 at 16:26

score 1 · Answer 1 · answered Nov 09 '12 at 16:03

1

You can use \\ despite single \

answered Nov 09 '12 at 16:03

Vardan Gupta

3,505
5
31
40

Great, so do you recommend to str_replace to all \\ to / and then when display replace it back ? – user1812695 Nov 09 '12 at 16:12
No when you would fetch it, it would be single \ only, as double was only used to save only. – Vardan Gupta Nov 09 '12 at 16:16
but the problem is that I cant be saved to the database so characters are lost when the insert is done. – user1812695 Nov 09 '12 at 16:21
Run this command SELECT '\\'; and you will understand more about what you are supposed to insert. – Vardan Gupta Nov 09 '12 at 16:24

Mike Brant · Answer 2 · 2012-11-09T16:30:37.967

If you properly escape the string you are trying to insert, you will not have the problem with the \ disappearing. It is actually MySQL that is treating the single backslash as an escape string.

So something like this:

$path_string_escaped = mysqli_real_escape_string($db_connection, $path_string);

And use $path_string_escaped in your insert.

Note that this with make $path_string_escaped look something like C:\\users\\files\\test.php. MySQL will then unescape the backslashes such that C:\users\files\test.php will be written to database. You will not need to do anything when reading from the database to modify the string.

You should ALWAYS escape user-provided or user-accessible data you will be writing to the database.

This is also a good example of why, even if using prepared statements, that you should still escape user-accessible data you are writing to DB when you are dealings with string that could contain MySQL escape sequences. While using prepared statements can certainly prevent against an actual injection attack, it will not help you actually write your data to the database the way you intend when there are already MySQL escape sequences in the strings.

Add directory path to database

2 Answers2