0

I'm using mysql_real_escape_string() and Htmlspecialchars() functions in my PHP code to make it secure against sql-injection and XSS. Is there any possibility to hack these functions? If yes, can you describe how it can be done so that I can improve my code.

Thank you very much.

George
  • 36,413
  • 9
  • 66
  • 103
Alice
  • 117
  • 5
  • 16
  • 4
    htmlspecialchars has absolutely **NOTHING** to do with sql injection prevent. that's why there's m_r_e_s(), and no, there's nothing that a malicious user can do to get around what it does. now, if you were using addslashes, then yes, there's a LOT you can do to completely bypass any wet-toilet-paper security system you've created with addslashes. similarly, m_r_e_s() has absolutely NOTHING to do with xss prevention. you're mixing up two totally different things. – Marc B Nov 20 '12 at 15:21
  • Use htmlspecialchars just in time when echoing html, and mysql_real_escape_string just in time when outputting sql.. don't use them together – Esailija Nov 20 '12 at 15:22
  • @MarcB: I once encountered a system that stored `addslashes(htmlentities(m_r_e_s($rata)))` to the database. Cargo-cult programming is painful. – DCoder Nov 20 '12 at 15:26
  • check http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection?rq=1 – NullPoiиteя Nov 20 '12 at 15:26
  • 1
    @dcoder: if only there was a way to delete 99.99999% of the "the only php tutorial you'll ever need" pages out there... – Marc B Nov 20 '12 at 15:27

2 Answers2

1

If your PHP is updated try to use mysqli or PDO and prepared statements

But to answer your question, YES mysql_real_escape_string() can be injected, but it's very complicated to do so. Here's a example

Community
  • 1
  • 1
Naryl
  • 1,878
  • 1
  • 10
  • 12
0

The first thing you want to do to prevent SQL injections is Using PDO and prepared statements. or at least Mysqli, as mysql is deprecated, the migration to mysqli is very very easy and it's optimized

If you use mysql_real_escape_strings you should be safe, as long as you escape correctly and wherever you really need it, remember that in most cases the mistake is human side, and not because of the functions :P

aleation
  • 4,796
  • 1
  • 21
  • 35