6 replies to this topic

[yewbie]

I have a custom web application I am playing around with written in php accessing a mysql database using a html interface.
Let me qualify this and say that I am very new to PHP and I may be unaware of something considered standard.

I am calling functions from inside my php (webpage) file that the user accesses with 2 or more variables like:

function TestFunctionRpt($orderby,$sort)

I sanitize both of my input variables using the PHP function "mysql_real_escape_string()".
http://php.net/manual/en/function.mysql-real-escape-string.php

Now my question is this, this seems very very simple am I actually protecting myself from SQL injection?
Is there anything else I need to look out for?

Also for reference my function is called like this inside my page.

[source lang="php"]<?php echo $mysite->TestFunctionRpt($_GET ['orderby'],$_GET ['sort'],$_GET['cust'],$_GET['startdate'],$_GET['enddate']);?>[/source]

Thank you for reading, hopefully you are having a great day!

Edited by yewbie, 25 October 2012 - 09:08 AM.

[Washu]

Use parameterized queries. Don't just concatenate strings together to make your SQL statements.

[yewbie]

Use parameterized queries. Don't just concatenate strings together to make your SQL statements.

Here is what I am currently doing, does this count as a parameterized query?

[source lang="php"]BlahRpt($orderby,$startdate,$enddate){$sanorderby = $this->SanitizeForSQL($orderby);$sanstartdate = $this->SanitizeForSQL($startdate);$sanenddate = $this->SanitizeForSQL($enddate);$qry = "Select * from $this->tablename WHERE `RequiredDate` >= '$sanstartdate' AND `RequiredDate` <= '$sanenddate' ORDER BY $sanorderby ASC";}[/source]


[source lang="php"]function SanitizeForSQL($str) { if( function_exists( "mysql_real_escape_string" ) ) { $ret_str = mysql_real_escape_string( $str ); } else { $ret_str = addslashes( $str ); } return $ret_str; }[/source]

Edited by yewbie, 25 October 2012 - 05:21 PM.

[Washu]

No, that's string concatenation at its best/worst.

http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php

Edited by Washu, 25 October 2012 - 05:46 PM.

[yewbie]

Thank you very very much, that link was very informative.

So Bind, Prepare, Execute. Seems easy enough.
And feel free to not answer this if its a long response (as I am trying to google the answer after I post this).

My guess would be even though I am removing escape sequences there are ways around that through injection?

Also I have found a great deal of information on the php page about why using mysql_real_escape_string is bad. http://php.net/manual/en/function.mysql-real-escape-string.php

Thank you for your time Washu =)

[SimonForsman]

My guess would be even though I am removing escape sequences there are ways around that through injection?

No, there shouldn't be unless there is a bug in PHPs mysql library or you are using multiple sql connections with different char-sets (in which case you have to pass the connection to the escape function aswell), but it is still a good idea to always use parameterized queries because they are virtually impossible to mess up with. (PHP will not complain if you forget/miss escaping a value, you will get an error if you don't use parameterized queries correctly)

[yewbie]

Awesome, thanks Simon!