1

I'm preparing for Zend PHP 5.5 Certification and I found a question in study guide which seems to have a wrong answer. I just don't understand - is there a mistake in their question or answer or does escaping output prevent SQL Injection in any manner?

I searched on the net but I can't find any information to prove this.

If escaping output really protects from SQL Injection, can anybody explain how exactly? It would be great if you could bring an example.

Thank you very much.

enter image description here

Edit:

My question is not about how to prevent SQL Injection, but is if output escaping prevents SQL Injection in any way, so please don't mark my question as duplicate. Duplicate Questions don't give me any answer to this one.

Alfa3eta
  • 405
  • 2
  • 8
  • You must not understand output as data sent to the user only. – Gumbo May 17 '14 at 11:08
  • Gumbo, what do you exactly mean? – Alfa3eta May 17 '14 at 11:11
  • @vascowhite, the question is about how to prevent SQL Injection, but nobody says that escaping output helps in any way, while Zend affirms that is does. – Alfa3eta May 17 '14 at 11:20
  • 3
    I think there is a typo in the question (Zend mistake), and they meant 'Input' instead of output, that is :) – Sveatoslav May 17 '14 at 11:42
  • 1
    **It's all about XSS.** *No idea how it could affect SQL.* I think it all depends on what one defines as `output` *(maybe a typo)*. – CodeAngry May 17 '14 at 11:43
  • 1
    @SveatoslavCircel whatever they meant, input or output - it wouldn't help. – Your Common Sense May 17 '14 at 11:49
  • 3
    Output is something that is leaving a certain system/process/component. If you build SQL and pass it to your database server, I’d also considered that output. – Gumbo May 17 '14 at 11:58
  • Well, it seems that @Gumbo's comment is the answer. – Your Common Sense May 17 '14 at 18:32
  • Quite unfair to say that output needs to be escaped to prevent sQL injection, the context in the question is clearly the response to the client. Not a request of any kind. Atleast I can understand the OP's confusion on this subject. It would have been easy to make the context clear. – Ronni Skansing May 19 '14 at 07:45
  • @Gumbo I encountered same question and puzzled me. Post that as an answer pls. I think that is the one (don't see anything else that makes sense). – zozo Mar 23 '16 at 12:56

2 Answers2

1

My question is not about how to prevent SQL Injection, but is if output escaping prevents SQL Injection in any way, so please don't mark my question as duplicate. Duplicate Questions don't give me any answer to this one.

Okay, the answer to your question is "No". See also:

It doesn't matter if you're escaping output after processing the injected query or not, if I can just write malware to your filesystem and access it directly.

The study guide is wrong.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206
0

I think it’s all a matter of interpretation: If you interpret the term output as ‘data that leaves a certain system/process/component/function’ and escaping in regard of SQL as ‘applying *_escape_string or similar functions to values that are put into SQL code’, then, yes, output escaping may help protect you from SQL injections.

Note that it says “may help” as there are cases in which such functions won’t help, most notably when escaped values are not used in a string literal.

Gumbo
  • 643,351
  • 109
  • 780
  • 844