2

I noticed the function json_encode() automatically puts backslashes on " and ' values. I was originally protecting against SQL injections by using mysqli_real_escape_string($con, $value) before the string was put into the array, after then it would be encoded using jSON.

Because json_encode adds the additional back slashes, it is necessary to use the mysqli_real_escape_string function?

Oliver Tappin
  • 2,511
  • 1
  • 24
  • 43
  • 4
    No, it does not. As that's not its purpose. – mario Mar 10 '13 at 18:02
  • 2
    I wouldn't say this is a duplicate, this is purely aimed at the `json_encode()` function – Oliver Tappin Mar 10 '13 at 18:04
  • Not constructive it is. Someone always comes up with various workarounds in order to eschew escaping, whether it is htmlspecialchars or addslashes or json_encode, like in your question. From your description (mysqli_real_escape_string and then json_encode is very much the wrong order) you seemingly also don't understand how context escaping should be done. Hencewhy the hint about bound parameters, which make this step redundant. What's your reasoning for avoiding the simpler and saner approach? – mario Mar 10 '13 at 18:09
  • 4
    This is not a duplicate. Poor guy doesn't deserve 3 downvotes. – rockstardev Sep 02 '13 at 10:59

4 Answers4

4

Yes, it is still necessary. json_encode adds backslashes to the strings contained within the JSON, but not to the control elements of the JSON itself.

So, this:

array( 'key' => 'some "value" here' );

Becomes:

{"key": "some \"value\" here"}

There are still quotes in the string that are not escaped (the quotes surrounding the keys and values. json_encode is not meant to protect against SQL injection. It adds slashes purely for the JSON, so that when you, later on, json_decode() the data, it knows where the strings start and stop.

As others have said - use prepared statements. Period. If you're already using mysqli you have no reason not to.

Colin M
  • 13,010
  • 3
  • 38
  • 58
2

If you are using mysqli, just use Prepared Statements and you're done.

Can Geliş
  • 1,454
  • 2
  • 10
  • 19
2

Neither json_encode() nor mysqli_real_escape_string() does protect against SQL injection.

Moreover, if you wouldn't use mysqli_real_escape_string() in your json encoded values, you'll be unable to decode them back.

Also, if you're storing json in your database, your database structure is wrong.

Tables you're using you your databases are such arrays. They are intended to store scalar values in their cells.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
1

json_encode is insufficient protection against XSS or the generation of SQL errors. The act of encoding an object as JSON will even add new quote characters.

… but don't use mysqli_real_escape_string, use prepared statements and parameterized queries.

… and generally you shouldn't be storing JSON in a database. Normalise your data so you can query it.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335