0

I have a PHP application where I'm using PHP mysql native library to run and manage queries with the database. In my application, I'm using an abstract layer to validate user input [and any other inputs] against SQL Injection. Some times, in some areas the same input is validated against SQL injection multiple times, which adds additional slashes to the input

For example:

$str = "It's cold";
$str = validate_against_sql($str);//produces It\'s cold
$str = validate_against_sql($str);//produces It\\\'s cold

Which means additional slashes are added to the input/string.

I've googled for 2 hours and did not find a way to do it, and tried to write a function myself that does this process but I'm not familiar with regular expressions and couldn't do it.

Is there a way to add to my "validate_against_sql" function that checks first if the parameter is already valid as a query parameter, so in this case, I would ignore validating it again and prevent adding the slashes?

I mean something like this:

function validate_against_sql($str){

if(!string_already_valid_as_sql_query_parameter($str)){

mysql_real_escape_string($str);

}

}

So, basically I want the "string_already_valid_as_sql_query_parameter" function checks if all special characters are already skipped, and in this case don't validate the same input again.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
Egy_Medrawi
  • 45
  • 8
  • 1
    Don't use the `mysql_` functions; they are deprecated. You should use `mysqli` or `PDO` instead. – Joren Apr 27 '14 at 09:59
  • Use parameterization like prepared statements provide. Then you don’t need care about escaping. Have a look at [*How can I prevent SQL injection in PHP?*](http://stackoverflow.com/q/60174/53114) for more information. – Gumbo Apr 27 '14 at 10:05

1 Answers1

0

Is there a way to add to my "validate_against_sql" function that checks first if the parameter is already valid as a query parameter

No.

In fact, if one were used here, you were unable to post your question, as it contains supposedly "invalid" double escaped string. Means there is no such thing like "string_already_valid_as_sql_query_parameter" at all.

Some times, in some areas the same input is validated against SQL injection multiple times, which adds additional slashes to the input

This

is what are you doing wrong. There should be only single place where SQL values have to be formatted. And by no means it have to be input validation layer. Let me tell you how it have to be done.

You have to comprehend the difference between input validation and SQL query creation. While there is nothing wrong with input validation itself, it should have absolutely nothing to do with SQL. It's all right to verify data types, formats, existence, etc. But input validation layer should never touch the data, changing its format for another layer. Just because at the time of input validation you cannot know where your data would go - SQL query or email message or it will be shown back to the browser.

There should be another abstract layer, to deal with SQL exclusively. And this one have to be responsible for the SQL formatting. And it is a thing you are looking for, as it will build a query out of given data right before execution, mitigating any possibility of double escaping.

  • Moreover, such a layer should act independently of any input! In fact, you have to format all SQL values, not only ones came from user input.
  • Moreover, SQL formatting is not as silly as just running some escaping function on the data.
  • Moreover, you should never bother yourself with SQL injections. Don't you believe me? Please read an article I wrote on the purpose to explain the matter throughly: The Hitchhiker's Guide to SQL Injection protection
Community
  • 1
  • 1
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345