2

Like this,

$type = mysqli_real_escape_string($dbc, trim($_POST['type']));

Does the trim improve security or does the mysqli_real_escape_string do enough already?

Basic
  • 1,818
  • 5
  • 21
  • 31

5 Answers5

2

mysqli_real_escape_string will only escape the string to prevent injection attacks. If you don't want stray whitespace you should probably trim too.

Twelve47
  • 3,924
  • 3
  • 22
  • 29
  • There's some misinformation here; [mysql_real_escape_string per se will not prevent all types of SQL injection](http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-injec) – acm Apr 14 '11 at 10:44
2

  • mysqli_real_escape_string is not enough.

  • and it's extremely bad idea to do it for the form inputs

  • it shouldn't be used at all anyway

Speaking of escaping, mysql[i]_real_escape_string is not make-my-data-magically-safe() kind of function but it's merely escaping string delimiters, to prevent strings from being broken. So, it won't help with numbers for example.
In fact, it has nothing to do with injection attacks, because this function should be used regardless of any attack, but only to make your strings SQL syntax rules compliant. And it will do no help with any other parts of query.

Also, it has nothing to do with "form inputs" nor with forms in general. It's database-related function, not forms-related. It's strings that going to the query should be escaped, and nothing else.

Anyway it shouldn't be used at all, as you have to use mysqli prepared statements instead.

And oh, yes - trim() has nothing to do with security, it's rather to make data look neat.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • 2
    why shouldn't he use mysqli_real_escape_string? – Twelve47 Apr 14 '11 at 10:01
  • 2
    Could you please explain your answer, why is it bad to do trim for form inputs, I ask as my book says to use it, but the says not to? – Basic Apr 14 '11 at 10:02
  • @basic, what book? I am reading one also which says the same thing? thanks – Drewdin Apr 14 '11 at 10:09
  • php6 and mysql 5 for dynamic websites. – Basic Apr 14 '11 at 10:10
  • @Twelve47, you should use mysql_real_escape_string functions (if you're not using the prepared statements); But take into consideration that they do not escape all types of SQL injection. Take a look at this question: http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-injec – acm Apr 14 '11 at 10:40
  • 2
    I use trim on `POST` strings. Why not? It helps for strings like email addresses and names and practically any other string where you don't want any whitespace at the beginning or end. – Martin Bean Apr 14 '11 at 10:44
1

Using the mysqli_real_escape_string will do enough to prevent injection in your database.

When displaying the posted value to the user, you should make sure to use htmlentities on it though.

Wesley van Opdorp
  • 14,888
  • 4
  • 41
  • 59
  • There's some misinformation here; [mysql_real_escape_string per se will not prevent all types of SQL injection](http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-injec) – acm Apr 14 '11 at 10:43
0

trimming the whitespace of the string will do nothing to improve security. escaping the string should be enough to prevent sql injection.

Timothy Groote
  • 8,614
  • 26
  • 52
0

Your example will help prevent SQL Injection, as any "Special Characters" will be escape (so " becomes \" and so on), but won't prevent XSS (Cross-Site Scripting), as it could still contain HTML characters like < and >

You can use the following code to help prevent both type of attacks

<?php
    //Get the variable
    $userValue = $_GET['value'];
    //Remove any preceding/leading whitespace
    $userValue = trim($userValue);
    //Convert any HTML characters to their entity value
    $userValue = htmlspecialchars($userValue);
    //Escape any SQL special characters
    $userValue = mysqli_real_escape_string($dbc, $userValue);
?>

For more information on XSS, check out this link https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Another useful resource is this PHP library, it's designed to filter any user input to protect against (pretty much) all methods of XSS http://htmlpurifier.org/

fin1te
  • 4,289
  • 1
  • 19
  • 16