secure mysql usage

**Dennis_Gull** · 12-29-2008, 11:23 PM

Hello guys,
I have a couple of quick questions regarding mysql queries.
Right know I check the database string values that people insert from the site like this:

PHP Code:


if (get_magic_quotes_gpc()) {

    return stripslashes($input);

} else {

    return mysqli_real_escape_string($db,$input);

}

This is just a guess but won't I need to add mysqli_real_escape_string after stripslashes if I got magic quotes on and will mysqli_real_escape_string be enough to secure the string?

And will I also have to check the inputs with mysqli_real_escape_string once people want to load data (besides for inserting data) and is there a way I can check if the data is a number instead of string?

thanks in advance

**Nile** · 12-30-2008, 03:13 AM

You should be using mysqli_real_escape_string, and htmlentities just to be safe.

Here's to check if it's an integer:

PHP Code:


<?php
if(!is_int($string)){
  echo "This is the output if \$string is not a number.";
} else {
  echo "This is the output if \$string is a number.";
}
?>

To see if it is numeric, change the is_int to is_numeric.

**Twey** · 12-30-2008, 01:28 PM

Learn to use PDO. Prepared statements and bound variables are a blessing — security is pretty much taken care of automatically.

You're quite right, stripping the slashes makes it, if anything, more important to escape the values. The code should look like this:

Code:

return mysqli_real_escape_string(get_magic_quotes_gpc() ? stripslashes($input) : $input);

A neater solution, though, might be to use a wrapper function around GET/POST/COOKIE values in the first place:

Code:

function g($k) {
  return get_magic_quotes_gpc() ? stripslashes($_GET[$k]) : $_GET[$k];
}

Alternatively, simply disable magic quotes in the first place.

**Dennis_Gull** · 12-30-2008, 10:55 PM

Thanks for the info guys, this is really useful!

**Nile** · 12-30-2008, 10:57 PM

Glad to help you Dennis.

**Dennis_Gull** · 12-31-2008, 01:01 AM

just a little side question, when I use htmlentities to clean out the html tags and special characters and then load it with ajax I will see the cleaned code instead of the "converted", example:

I insert "hello & welcome" and use htmlentities on it, I will then output:
"hello & welcome" once I load it (with ajax that is).. is there a way to bypass this?

**Nile** · 12-31-2008, 01:09 AM

PHP: Str_replace()

**Twey** · 12-31-2008, 02:18 AM

If you're seeing those then you don't want to be using htmlentities(). htmlentities() is only for data that's going to be inserted into an HTML page; if it isn't going to be inserted then you don't need to do it. Additionally, ensure that the operation is only performed once on any input.

**Dennis_Gull** · 12-31-2008, 02:23 AM

Do I have to replace all the special characters again?

Won't that break the xml structure again?

I could of course replace them inside javascript if thats necessary, was just hoping for a simple feature to do this backwards.

**Nile** · 12-31-2008, 02:27 AM

I think you would do something like this:

PHP Code:


<?php
$content = "A &amp; B";
$content = str_replace('&amp;','&',$content);
echo $content;
?>

Thread: secure mysql usage

Thread Tools

Search Thread

secure mysql usage

Bookmarks

Bookmarks

Posting Permissions