1

Im using sphinxql currently and using mysql_real_escape_string on my $query but since there is no database connection...I get an access denied. I was looking for alternatives :

$query = $_GET["query"];



$query = trim($query);
$remove = array(',','}','{',']','[',';',':','>','<','|',')','(','*','%','$','!','^','/');
$query=str_replace($remove, "", $query);
$con = mysql_connect("localhost:9306","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

$res = mysql_query("SELECT * FROM test1 WHERE MATCH ('$query')");
re1man
  • 2,337
  • 11
  • 38
  • 54
  • 2
    First connect to the database, then use the escape function. Or am I missing something? The alternative would be a prepared statement, checkout PDO. – hakre Aug 10 '11 at 20:01
  • mysql_escape_string doesn't need a DB connection, but it's deprecated. – ceejayoz Aug 10 '11 at 20:02

6 Answers6

4

you can use this function if you mysteriously want to escape values without a database connection : 

<?php
function mysql_escape_mimic($inp) {
    if(is_array($inp))
        return array_map(__METHOD__, $inp);

    if(!empty($inp) && is_string($inp)) {
        return str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $inp);
    }

    return $inp;
}
?>
DonSeba
  • 2,098
  • 2
  • 16
  • 25
3

but since there is no database connection...I get an access denied.

Run mysql_real_escape_string() after the connection has been established. There is no other way.

The fact that the escaping function requires an active connection is by design and necessary so it knows the character set it's preparing the data for. Without that information, there is room for vulnerabilities.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • @Praneet what do you need `mysql_real_escape_string()` for then? I don't understand. – Pekka Aug 10 '11 at 20:07
  • hmm I guess this is true :) I was assuming that a sphinx index using sql queries could be vulnerable – re1man Aug 10 '11 at 20:10
1

Already answered at: Alternative to mysql_real_escape_string without connecting to DB

too much php said: "It is impossible to safely escape a string without a DB connection. mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set - otherwise SQL injection attacks are still possible using multi-byte characters.

If you are only testing, then you may as well use mysql_escape_string(), it's not 100% guaranteed against SQL injection attacks, but it's impossible to build anything safer without a DB connection."

Community
  • 1
  • 1
James
  • 11
  • 2
  • Is the connection needed for any more than finding the correct character set? If not, then can it not be done in PHP with the correct character set being known? – Jason Nov 06 '13 at 13:40
0

I can use mysql_real_escape_string() function connected to a SphinxQL server this way:

$msg_sphinx = mysql_real_escape_string($msg, $db_sphinx);

$db_sphinx is the resource PHP uses to handle SphinxQL connection:

$db_sphinx = mysql_connect(DB_SPHINX_SERVER, DB_SPHINX_USER, DB_SPHINX_PASS);

So, there is no need to use an alternative to mysql_real_escape_string() function

snippetsofcode
  • 937
  • 2
  • 10
  • 10
0

Its not safe to pass direct query string to database even by replacing this set of strings. you can also add '-' or '--' in string replacement set to avoid SQL injection as '--' is used for SQL comments and its key to SQL injection.

Moreover I also tried to pass sql statement in HTML form element from one page to another but its also not worked as HTML request and response add few extra characters in the end of string.

Session variable also useless to do the same.

Hasan Baig
  • 491
  • 6
  • 17
0

Why would you need mysql_real_escape_string i you don't have a connection?

You could connect first, and assemble the query afterwards (before executing it)

GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • You could use mysql_escape_string. It does what mysql_real_espace_string does, unly it doesn't have a connection, so it won't take in account any connection-specific settings. – GolezTrol Aug 15 '11 at 20:32