-1

i am practicing php and I am puzzled while interpreting a function to escape dangerous sql characters. i want to know how it works especially the $value in the second if. its quiet puzzling for me to understand the actual flow of function.

function quote_smart($value, $handle) {

   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }

   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value, $handle) . "'";
   }
   return $value;
}
user2591221
  • 29
  • 1
  • 9
  • [There are **NO dangerous characters**](http://stackoverflow.com/a/2995163/285587). – Your Common Sense Jul 19 '13 at 08:04
  • 1
    @YourCommonSense *blink* I may be low on coffee, but in what way does an answer saying you should escape your characters, not remove them contradict anything in this function that escapes characters and not removes them? Parameterised queries would be better of course, but... – Joachim Isaksson Jul 19 '13 at 08:08
  • you are probably not understanding what im trying to say.. actually i this is a part of my code – user2591221 Jul 19 '13 at 08:09
  • actually i passing parameters entered by user in a form and then after connection to database in $handle and the passing inputs as $value im just concerned about that particular part of code that passes variables $uname = quote_smart($uname, $db_handle); $pword = quote_smart($pword, $db_handle); – user2591221 Jul 19 '13 at 08:16

2 Answers2

1

What the code does is basically;

  • First it removes the effect of magic_quotes_gpc if and only if it's enabled in the server. It should not be since magic_quotes has been deprecated for a while (and removed entirely in new PHP versions).

  • Second, it encloses all non numeric values of $value in single quotes, and escapes the value using mysql_real_escape_string to avoid SQL injection in your value string.

Using recent versions of PHP, this method should not exist at all, since magic_quotes_gpc should never be enabled, and you'd be using PDO or MySQLi parameterized queries that do not need their values to be escaped.

Joachim Isaksson
  • 176,943
  • 25
  • 281
  • 294
  • if i am passing a value like O'corner in particular function then what will it pass to sql as query ...............$uname = quote_smart($uname, $db_handle); $SQL = "SELECT * FROM login WHERE L1 = $uname; $result = mysql_query($SQL); – user2591221 Jul 19 '13 at 08:26
  • @user2591221 You'd probably use it as `$sql = 'SELECT * FROM users WHERE name='.quote_smart("O'Corner");` which would give a valid MySQL query similar to `SELECT * FROM users WHERE name='O\'Corner'`. As compared to parameterized queries, building queries from strings is comparatively easy to get wrong though. – Joachim Isaksson Jul 19 '13 at 08:30
  • if magic quote is removed from updated versions of php what code we now use instead ov it – user2591221 Jul 19 '13 at 08:34
  • @user2591221 If you properly use `mysql_real_escape_string`, you don't need magic quotes. It was added to begin with as a misguided attempt to prevent SQL injection if you forgot to escape your SQL, but since it's _easily_ bypassed by a hacker it's not very useful on the Internet. – Joachim Isaksson Jul 19 '13 at 08:42
0

This function doesn't "escape dangerous sql characters". It does format $value as a correct mySQL literal. But does it wrong,

  • because it deals with get_magic_quotes_gpc() while it shouldn't.
  • and it does some magic, trying to format either numbers or strings
  • and it's intended to format values inserted into query directly, not via placeholder.

Correct version have to be

function quote_string($value, $handle)
{
    return = "'" . mysql_real_escape_string($value, $handle) . "'";
}

and it should be used only to process a placeholder.

While magic quotes have to be dealt with in a bootstrap file, for all input values, not only ones going into query, though for compatibility purpose only.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345