+ Post New Thread
Results 1 to 6 of 6
Coding Thread, PHP SQL Injection, Protection already set? in Coding and Web Development; Hello, While i have been working on a few PHP scripts i have come across something and i cannot figure ...
  1. #1

    Join Date
    May 2009
    Posts
    8
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    PHP SQL Injection, Protection already set?

    Hello,

    While i have been working on a few PHP scripts i have come across something and i cannot figure out why it is doing it, hopefully you may be able to tell me.

    When a form is submitted i have always used the following code to protect the mysql queries from sql injection and to strip any tags that have been entered:

    $data=mysql_real_escape_string(strip_tags($_POST['data']);

    The data variable is then passed through a mysql query and then i echo out a message like this.

    echo "The data you entered, ".$data.", was successfully added to the database.";


    The problem is this... When the data is echoed out, if the data contained a ' character then there is 3 backslahes before it.

    For example is a user entered: Eddie's code
    The message would say: The data you entered, Eddie\\\'s code, was successfully added to the database.

    I think that the ' character is being protected by a backslash and then both those characters are being protected so therefore it results in 3 backlashes and a ' character.

    When i remove the SQL protection (mysql_real_escape_string(strip_tags($_POST['data'])) then the data is passed through the query correctly without trouble...

    After all of that what i really want to know is, do mysql queries now protect themselves form SQL injection?

    I don't know which verison PHP the server i have my script hosted on it, but i would just like to know why this is and whether it is safe to remove all the SQL protection as the mysql quries execute the code with no trouble even when a ' character is used.

    Sorry for the essay haha,

    Thanks everyone for you time in helping me

    Eddie


    ##Edit##
    When a user submits a textfield with a ' characters in it, is that characters escaped using a backslash?
    Last edited by eddie; 22nd August 2009 at 01:26 PM. Reason: Extra info

  2. #2

    Join Date
    Feb 2006
    Location
    Isle of Wight, UK
    Posts
    149
    Thank Post
    28
    Thanked 28 Times in 25 Posts
    Rep Power
    22
    It's probably due to the PHP settings on the server (in the php.ini file), - if the 'Magic Quotes' settings are enabled, then PHP automatically tries to 'make safe' any input from forms.

    The PHP developers now recommend that the Magic Quotes options are disabled, not least because it can encourage programmers to be lazy, and assume their inputs are safe (not in your case though!).

    There's more info on this at the PHP manual (including ways to work out what the current setting is, and how to work around it).

    Stephen

  3. Thanks to SteveMC from:

    eddie (22nd August 2009)

  4. #3

    Join Date
    May 2009
    Posts
    8
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Thanks Steve!!

    That explains it I've been having to add stripslashes($_POST['data']) to everything that have been submited by the POST method in a form! Just to get a variable to equal what was actually submitted by the form haha.

    They have removed the option to change the magic quotes on/off in the newer PHP versions which is good, but on the other hand, when the company we host with upgrade their version of PHP we will need to change our scripts

    I have read the manual for disabling it and i don't quite understand how to do this. They have just wrote some text. Do you know how to do it?

  5. #4

    Join Date
    Feb 2006
    Location
    Isle of Wight, UK
    Posts
    149
    Thank Post
    28
    Thanked 28 Times in 25 Posts
    Rep Power
    22
    Quote Originally Posted by eddie View Post
    I have read the manual for disabling it and i don't quite understand how to do this. They have just wrote some text. Do you know how to do it?
    There doesn't look to be a 100% surefire way to sort things out, but one of the examples posted on the page I linked to should be enough for your form data:

    Code:
    <?php
    if (get_magic_quotes_gpc()) {
        function stripslashes_gpc(&$value)
        {
            $value = stripslashes($value);
        }
        array_walk_recursive($_GET, 'stripslashes_gpc');
        array_walk_recursive($_POST, 'stripslashes_gpc');
        array_walk_recursive($_COOKIE, 'stripslashes_gpc');
        array_walk_recursive($_REQUEST, 'stripslashes_gpc');
    }
    ?>
    If you put that in a file that gets included in every PHP page (such as a config file, or library) then it'll sort out the form values. When you move to a server without magicquotes, the above code will leave the $_ variables alone, but for now it will run the stripslashes function on each element of the four input arrays.

    You'll still need to use the escape functions before storing data in the database though (if it's mySQL, then use mysql_real_escape_string() rather than just 'addslashes' - which of course you are doing already ).

    Stephen
    Last edited by SteveMC; 22nd August 2009 at 02:27 PM.

  6. #5

    Join Date
    May 2009
    Posts
    8
    Thank Post
    3
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Ah right, include that into every script, got it

    Cheers for all your help Stephen.

  7. #6

    Join Date
    Feb 2006
    Location
    Isle of Wight, UK
    Posts
    149
    Thank Post
    28
    Thanked 28 Times in 25 Posts
    Rep Power
    22
    One thing to be aware of though, the code above works fine if all your form inputs are stored in the main arrays as follows:

    Code:
    <input type="text" name="input1" />
    which when submitted, creates PHP values as:


    Code:
    $_POST['input1']
    ...but if you're doing anything clever with form arrays like this:

    Code:
    <input type="text" name="myform[input1]" />
    which get turned into:

    Code:
    $_POST['myform']['input1'];
    ...then it won't remove the slashes from the value of those inputs. It should be possible to adapt the code to recurse its way through if there are nested arrays if required.

    Stephen

SHARE:
+ Post New Thread

Similar Threads

  1. setting up php/sql for a forum on 2008 x64
    By sted in forum Windows Server 2008
    Replies: 0
    Last Post: 1st July 2009, 08:25 AM
  2. php and sql ?
    By mac_shinobi in forum Web Development
    Replies: 15
    Last Post: 21st October 2008, 09:43 AM
  3. Microsoft Source Code Analyzer for SQL Injection
    By RabbieBurns in forum Windows
    Replies: 2
    Last Post: 27th June 2008, 05:03 PM
  4. Moodle Blog Module SQL Injection Vulnerability - Heads Up
    By OutToLunch in forum Virtual Learning Platforms
    Replies: 7
    Last Post: 9th October 2006, 02:25 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •