NYCPHP Meetup

NYPHP.org

[nycphp-talk] mysql_real_escape_string WAS: Mysql question!

Rob Marscher rmarscher at beaffinitive.com
Tue Oct 31 15:27:16 EST 2006 

A side note here about mysql_real_escape_string - curious if anyone is 
an expert on this...  In that last year, I switched over from using 
addslashes to using mysql_real_escape_string to escape strings in sql 
statements because it's the 'right thing to do.'

I'm currently reading "Building Scalable Web Sites" by Cal Henderson 
(which I think is great so far for anyone making large [or potentially 
large] web apps).  In the section about avoiding sql injection attacks, 
he says "the more complicated mysql_real_escape_string escapes a bunch 
more characters but is ultimately unnecessary (although useful for 
making logs easier to read)."  I thought that was interesting - 
"ultimately unnecessary."

Although I guess this argument will be moot as soon as people move to 
php 5/mysql 5, as prepared statements seem to be the way to go there.

-Rob

csnyder wrote:
> On 10/30/06, tuon1 at netzero.net <tuon1 at netzero.net> wrote:
>   
>> [...]
>>         //Add new customer to database
>>         function AddNewCustomer($FirstName, $LastName, $Address,
>>                                 $City, $State, $ZipCode,
>>                                 $AreaCode, $Phone, $Email,
>>                                 $WebsiteURL, $LoginName, $Password
>>                                )
>>            {
>>                 $query = 'INSERT INTO Customer_Info (FirstNameCol,
>>            LastNameCol, AddressCol, CityCol, StateCol,
>>                                 ZipCodeCol, AreaCodeCol, PhoneCol,
>>                                 EmailCol, WebsiteURLCol,
>>            LoginNameCol, PasswordCol
>>                                )
>>     VALUES ("'. $FirstName . '", "' . $LastName . '",
>>                      "' . $Address . '", "' . $City . '",
>>       "' . $State . '", "' . $ZipCode . '",
>>       "' . $AreaCode . '", "' . $Phone . '",
>>       "' . $Email . '",
>>       "' . $WebsiteURL . '", "' . $LoginName . '",
>>                      "' . SHA1($Password) . '")';
>>   }
>>
>> Feel free to correct my code and give suggestions for better techniques.
>>
>>     
>
> Hi Paul,
>
> You always need to escape each of the user submitted values in your
> SQL, in order to prevent breakage and security vulnerabilities. The
> mysql_real_escape_string() function is the recommended way to do this.
>
> function dbEsc( $value ) {
>   return mysql_real_escape_string( $value );
> }
>
> function AddNewCustomer( $FirstName ) {
>   $query = 'INSERT INTO Customer_Info ( FirstNameCol )
>                              VALUES ("'. dbEsc($FirstName) . '")';
>   return mysql_query($query);
> }
>
> This is one of the two fundamental rules of secure web programming
> with php (the other being that you always escape output values using
> htmlentities()).
>
>

More information about the talk mailing list