0

I'm fairly new to mysqli (not to mysql!) and I'm updating a currently-mysql-function which secures a string (or an (recursive) array with strings) for basic sanitation.

The php.net mysqli::real_escape_string() manual has a very clear warning about that charset. I've implemented this.

How do I test this? I can't find the information I'm looking for. I guess I'm looking for certain strings to input resulting in an unsecure result, and a result considered save.

I don't mean "add slashes to ' <- those single quotes". I'm looking for some more advanced tricks or vulnerabilities.

I'm also not looking for prepared statements. Those are wonderful and I'd love to use those, but not an option at this point because updating I'm a old system as fast as possible, prepared statements are not an option at this point in time. I'll be adding those in the future.

Martijn
  • 15,791
  • 4
  • 36
  • 68
  • 1
    -1 for "I am not looking for prepared statements". Because you should – Your Common Sense Aug 02 '13 at 13:47
  • 1
    That makes no sense... Im working on an existing system, at this point I can't do this, that would be too much work. As I stated; they're wonderfull, but not at this moment. This would be a next-round update, I'm planning to do so in new code. – Martijn Aug 02 '13 at 13:56

1 Answers1

2

Here is the code you are looking for, I believe. Just change mysql to mysqli.

Also please note that

  • this function is not to "secure" strings but to format them. Means every string that is going into query have to be processed, no matter if you count it "dangerous" or not.
  • this function have to be used to format SQL string literals only. And it is utterly useless for all other query parts.
  • this function should not to be used in the application code, but to support emulated prepared statements only.

Anyway, if your database encoding is conventional utf-8, there is no point to bother with encoding at all. "A clear warning" actually connected to some marginal and extremely rarely used encodings only.

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • +1 for the explanation and the `utf-8` remark. I'm looking for something more broad to test. For eample an list of strings which breaks stuff. Those examples are handled just fine in my utf8 system :) – Martijn Aug 02 '13 at 14:08
  • 1
    That's what I am talking about. There are no such strings exist. "A clear warning" just inapplicable for utf-8. – Your Common Sense Aug 02 '13 at 14:17
  • Oh, like that. Ok, thats good to know. Im pretty same at this moment than. Slowly going to migrate to the prepared statemants – Martijn Aug 02 '13 at 14:20