0

My question is not about needing help with code, but I am just wondering if mysql_escape_string() makes SQL-injection impossible.

I see a lot of people using this function for sql-security. If I use mysql_escape_string(), will I still need to use queries using parameters or not?

Also could you please tell me a good way to use this function or would mysql_escape_string($string) be enough?

If mysql_escape_string() isn't a good practice.. Could you please explain to me how to use parameters in a querystring so I can understand it. I know how to use parameters and stuff in VB.net but I'm lost when it comes to using parameters in php and mysql.

Thanks in advance :).

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
Giani Noyez
  • 481
  • 3
  • 8
  • 17
  • 1
    possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Ali Aug 22 '13 at 01:17
  • possible duplicate of [mysql\_escape\_string vulnerabilities](http://stackoverflow.com/questions/13026469/mysql-escape-string-vulnerabilities) – pilcrow Aug 22 '13 at 01:22

3 Answers3

2

Rather than ask "Will I still need to use parameters?", take the training wheels off and just use parametrized queries.

The experienced people of StackOverflow don't say "use parametrized queries" over and over and over and over just because we have nothing better to do.

For examples of how to use parametrized queries in PHP, see http://bobby-tables.com/php

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
2

if mysql_escape_string() makes SQL-injection impossible.

mysql_escape_string() actually irrelevant to SQL-injection

I see a lot of people using this function for sql-security.

Indeed a lot. They are all in danger.

If I use mysql_escape_string(), will I still need to use queries using parameters or not?

Quite contrary, if you use parameters, you will need no this function.

Also could you please tell me a good way to use this function

Yes, I could. You can use this function in your own implementation of parameterized queries. That's the only proper way of using this function. It is not required though, as you can use ready-made parameters offered by the driver

If mysql_escape_string() isn't a good practice.

Yes. But only under these conditions:

  • newest version is used.
  • it is used on its real purpose, not to protect from injections
  • it is used to process parameters

Could you please explain to me how to use parameters in a querystring

I hope you'd like the explanation in the PDO tag wiki

Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
1

I would suggest that you use parameterized queries with PDO. That's all you need, so don't worry about mysql_escape_string() (which is deprecated anyways).

Here is a tutorial on how to use PDO: http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html

In case I wasn't being clear enough, any variables passed into your query that originate from outside of your script (or anything that could ever potentially contain malicious code) should be set up parameters to your PDO statement, and these will be escaped for you.

Travesty3
  • 14,351
  • 6
  • 61
  • 98
  • It's not really "all you need" if you don't actually use the parametrized queries. It's possible to write unsafe code in PDO. – Andy Lester Aug 22 '13 at 01:58
  • @AndyLester: Come on now. How nitpicky do we need to get here? I said that PDO is the main way to do parameterized queries in PHP. I'm not assuming people are complete morons. Obviously they're supposed to **use** the parameterized queries. – Travesty3 Aug 22 '13 at 02:08
  • I'm not being nitpicky for the sake of nitpicking. I'm being nitpicky for the sake of the OP, and for anyone else coming along, who thinks that he/she can take existing `select * from foo where userid=$id` and wrap it in PDO and magically be safe. You say "obviously", but if all this was obvious to everyone, we wouldn't need StackOverflow. – Andy Lester Aug 22 '13 at 03:16
  • 1
    OK, I re-read my answer and I guess I can see your point. I reworded it. – Travesty3 Aug 22 '13 at 12:45