2

When I post a variable to the database, of course, I use mysql_real_escape_string. This way special characters go in the database as it should.

When I read this variable out of the database, I use mysql_real_escape_string again together with stripslashes:

$var = stripslashes(mysql_real_escape_string($record['rowname']));

else it will give me slashes before quotes.

When I use this $var I mentioned above and want to echo it, I simple can echo "$var" because it has already been stripped and escaped, right?

And beside, if I use stripslashes + mysql_real_escape_string on a variable, then POST this same variable again in the database, is mysql_real_escape_string enough? Or do I need to stripslashes this variable again?

Summarized:

As I know how this works:

  1. use mysql_real_escape EVERY time when using data with mysql: when reading query through variables just as posting variables to database.
  2. Use stripslashes when echoing out escaped variables.
  3. If you want to post stripslashes and escaped variables again to the database, you dont need to stripslash it again.

Do I miss htmlspecialchars?

EDIT

So this is all wrong?

    while( $record=mysql_fetch_array($result) ) 
    {
        $custid=mysql_real_escape_string($record['custid']);
        $custsurname=mysql_real_escape_string($record['custsurname']);
        $custmidname=mysql_real_escape_string($record['custmidname']);
        $custforename=mysql_real_escape_string($record['custforename']);
        $custcountry=stripslashes(mysql_real_escape_string($record['custcountry'])); }
TMNuclear
  • 1,175
  • 5
  • 25
  • 49
  • 2
    Wait for all the people telling you to switch to PDO and prepared statements xD, and, they are right. stop using mysql_ as it's deprecated and less-safe – aleation Nov 23 '12 at 11:07
  • http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-function-in-php :) – j0k Nov 23 '12 at 11:07
  • I know PDO is better, but since I'm almost done with my practical training and just need to secure the mess, I want to be sure I did it well. – TMNuclear Nov 23 '12 at 11:10
  • 1
    You shouldn't use mysql_* even for training : it is deprecated and will be removed in future versions of PHP. Use PDO or mysqli, prepared statements and filter_var for proper input check/sanitization – Benjamin Dubois Nov 23 '12 at 11:17
  • Use [mysqli](http://www.php.net/manual/en/book.mysqli.php) or [PDO](http://www.php.net/manual/en/ref.pdo-mysql.php) I personally prefer `PDO` over `mysqli` due to named parameters support. –  Feb 10 '13 at 10:22

2 Answers2

6

I'm afraid you're doing it wrong. The key point is that escaping is context sensitive and you completely disregard that fact.

On every data format, there're words or characters that are assigned special meanings in the format spec. For instance, a ' symbol in SQL means "string delimiter", a ? symbol in a URL means "start query string" and a < symbol in HTML means "start tag". You need escaping when you want to insert a literal word or character, i.e., you want to insert it as-is and remove its special meaning.

Once aware of that, it's clear that the syntax varies depending on the format and context. < means "start tag" in HTML but not in SQL or URLs. Thus you need to use a escaping method that's built for the target format and follows the format rules.

If you do mysql_real_escape_string() on data read from a database you're saying "escape my data so it can be injected as inside a SQL string". Your data gets ready to be used inside as a SQL string but get's corrupted for any other usage.

In this example, it happens that stripslashes() undoes most of what mysql_real_escape_string() did so you end up with an output that's basically unchanged. But that's pure chance.

Last but not least, having to escape database input parameters one by one is very annoying. All other DB extensions but the one you are using1 offer prepared statements. Don't get stuck with a deprecated extension that doesn't offer modern stuff.

1 Note: the legacy mysql extension has been deprecated for several years, when better alternatives became available, and it's no longer part of the language.

Update: a little clarification—escaping is just a syntax trick. You don't alter the input to the eyes of the target engine, which just sees the original data as-is. So there's no need to unescape the input when you retrieve it.

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
4

You don't need to stripslashes or mysql_real_escape_string the data coming from database, you just need to escape it before you query so the query parser knows what are special characters and what are literal characters.

stripslashes should be never used (as a hack to fix some symptoms), if you are going to need a variable after escaping it, use the original one:

$data_safe = mysql_real_escape_string( $data );
//$data can still be used normally

Escaping is only for a certain context, if the context is a mysql query then you will mysql real escape just for the query and nothing else. If the context is html output, then you will htmlescape just before outputting a string as html. At no point you want to actually modify the data itself. If you misunderstand this, you will see O\'Brian and O&#39;Brian etc.

Esailija
  • 138,174
  • 23
  • 272
  • 326
  • @IvanM because you are doing something wrong, having magic quotes on or echoing an sql escaped variable – Esailija Nov 23 '12 at 11:14
  • @IvanM read the first sentence of my answer, you do not mysql escape data coming from database **unless** you are going to use them in a query right after. You are echoing them on a html page, a context that has no sql escaping. Get it? – Esailija Nov 23 '12 at 11:17