Semicolons in PHP form submissions

Question

Two related questions that should be easy, though my searching has come up empty.

1. I have a from in PHP. If a field has a semi-colon in it, and I do a dump of $_POST in the action page, the field value is truncated at the semi-colon. I'm guessing this is related to SQL injection security? But legitimate semi-colons need to be allowed. Is there a setting that allows this to go through? Or do I need to escape it, and if so, how?

2. To catch actual SQL injections, I don't need to allow multiple statements in one query... like "SELECT * FROM table;DROP table". Is there a setting that disables this, either in PHP or MySQL, but without stopping legitimate semicolons?

Answer 1

semi-colons does not cause any problem.

Use prepared statements.

In mysqli:

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name);

$stmt->execute();

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    // do something with $row
}

In PDO:

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');

$stmt->execute(array(':name' => $name));

foreach ($stmt as $row) {
    // do something with $row
}

Use mysql_real_escape_string

$unsafe_variable = $_POST["user-input"];
$safe_variable = mysql_real_escape_string($unsafe_variable);

mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");

Check this question for more information How can I prevent SQL injection in PHP?

Answer 2

Ok, silly me. Yes, I am using prepared statements, escaping, etc. But I also wanted to sanitize the input before it even gets that far. So I have a global function that checks all parameters, taking out anything following apostrophes and semicolons. Works fine for GET values, but I forgot that I needed to update that to handle POST parameters differently, and had forgotten this was there, as I hadn't type a semi-colon until now. :) But thanks for the responses.