0

Innocently I thought that there's no problem to store into a db an UTF-8 string, even if they contains strange characters. On the contrary I've read here and there that some characters, as newlines, can be used to hack the code.

Do you know which are the characters that is better to strip out or escape? I'm interested also in good articles and / or books (epub preferably).

Marco Sulla
  • 15,299
  • 14
  • 65
  • 100
  • ah i think you're saving data to database without clening it right? try using mysqli::real_escape_string() or `mysqli::prepare()` [Docs](http://php.net/manual/en/mysqli.prepare.php) – ROMMEL May 15 '13 at 21:32
  • 2
    Check this post [How to prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php/16466714) – Danijel May 15 '13 at 21:35
  • @Danijel: thank you, I'll use PDO, they will also offer me a way to make my queries more modular, as I wanted to do. Anyway this will secure the db, but what about php? I mean, these data will be manipulated some day. For "echo" you can use htmlspecialchars, but what about functions? A bad string input can mess my code up? – Marco Sulla May 16 '13 at 07:42
  • @YourCommonSense: why do you prefer to do substitution inside query templates by hand instead of using PDO? PS: take a look also to my previous comment. – Marco Sulla May 16 '13 at 07:44
  • I am not sure I get your question right. PDO does the very thing you said: it performs substitutions in the query template. However, it can handle very limited set of literals - namely strings and numbers only. Offers no protection for any other query part. – Your Common Sense May 16 '13 at 08:35

2 Answers2

0

Inside SQL string literals, you generally only have to escape the characters which delimit the string literal as they are required to leave the string literal context. This means, inside single quoted strings, the single quote character has to be escaped, and inside double quoted strings, the double quote character has to be escaped. Additionally, the escape character must be escaped as well.

In general, string escaping functions escape these characters as well as further, non-printable characters, if applicable.

But you don’t have to care about the proper escaping as long as you use the escaping functions provided by the DMBS APIs.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
-1

\x00, \n, \r, \, ', " and \x1a

You can find this in manual for escaping strings (e.g. mysql_real_escape_string()).

Basically it's single quote, '%' and '_' (wildcards for search using like clause).

samayo
  • 16,163
  • 12
  • 91
  • 106
Maxim Khan-Magomedov
  • 1,326
  • 12
  • 15