0

I have the following code i use to roughly identify a machine:

$computerId = "UserAgent:".$_SERVER['HTTP_USER_AGENT']."RemoteAddress:".$_SERVER['REMOTE_ADDR'];

I use the following code to compare an escaped vs an unescaped string:

echo "Unescaped:
".$computerId."
Escaped:
".mysqli_real_escape_string($conn, $computerId);

This is the output I get:

Unescaped: UserAgent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36RemoteAddress:::1

Escaped: UserAgent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36RemoteAddress:::1

As you can see, they are completely identical, and it does not look like the escape is doing anything, as both strings contain unescaped backward-slashes and semicolons. What might be causing this?

Sofus Øvretveit
  • 323
  • 1
  • 3
  • 10
  • 4
    No character in this string _needs_ to be escaped for MySQL. – tkausl Sep 05 '18 at 18:19
  • Don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Sep 05 '18 at 18:20
  • Possible duplicate of [SQL injection that gets around mysql\_real\_escape\_string()](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) – Madhur Bhaiya Sep 05 '18 at 18:23
  • The `backward-slashes` are forward slashes. I know of no malicious use they have. Are you trying to prevent XSS injections or SQL injections? The provided string doesn't look to be an attempt at either, looks like a user agent. – user3783243 Sep 05 '18 at 18:28

1 Answers1

2

According to the documentation

http://php.net/manual/en/function.mysql-real-escape-string.php

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

Hence semicolon (;) is not a character which is escaped (or prepended) by the function.

Bill Karwin
  • 538,548
  • 86
  • 673
  • 828
Rinsad Ahmed
  • 1,877
  • 1
  • 10
  • 28