|
-
Dec 22nd, 2005, 03:08 PM
#1
Thread Starter
Addicted Member
Would allowing " and \ cause SQL Injection
I was wondering if allowing " and \ in the username or password field would cause SQL injection. Could somebody explain me this one and tell me what does magicquotes do?
Thanks a lot in advance...
"Quis custodiet ipsos custodes?"
Juvenal
Mete the Hun wanted to live in peace with the Chinese. So he gave the Chinese Emperor his favorite horse, best swords in his armory, and lots of other cool stuff. But then the Chinese Emperor asked for one thing. A useless land through the north. It was a small, useless, unproductive, uninhabited piece of land. But Mete the Hun's answer was certain:
I gave you horses, weapons and much more which belonged to me. But the lands are not mine, it's my nation's and I'm ready to fight, kill and die for just an inch my country
-=Joey Jordison R0CKS!!  =-
-
Dec 22nd, 2005, 05:47 PM
#2
PowerPoster
Re: Would allowing " and \ cause SQL Injection
Ahhh... no I don't think it would as long as you use Mysql_real_escape_string() around the input data or whatever it is, as it'll escape every " or \ in the string.
visualAd is the pro on this though I think. :\
-
Dec 22nd, 2005, 06:41 PM
#3
Re: Would allowing " and \ cause SQL Injection
Magic quotes is evil. It auto magically adds slashes to any quotes found in outside data, such as POST, GET and COOKIE. The problem is, you cannot always rely on it being on.
Worse, if you are relying on magic quotes to protect you form SQL injection exploits, it will give you a false sense of security. While it works ok with MySql some other databases such as MsSql, Access and Foxpro do not use a backslash to escape quotes.
Fortunatly you can test whether magic quotes is on and undo its damage if neccessary. Two versions of the stripslashes and addslashes functions which test for the magic qutoes:
PHP Code:
/**
* Remove slashes form a previously escaped string
* only if magic quotes is turned on.
* @param string $string
*/
function stripslashes_safe($string)
{
if (get_magic_quotes_gpc()) {
return stripslashes($string);
} else {
return $string;
}
}
/**
* Escape quotes in a string using backslashes only if
* magic quotes is turned off.
* @param string $string
*/
function addslashes_safe($string)
{
if (! get_magic_quotes_gpc()) {
return addslashes($string);
} else {
return $string;
}
}
Last edited by visualAd; Dec 22nd, 2005 at 06:46 PM.
-
Dec 23rd, 2005, 08:43 AM
#4
Re: Would allowing " and \ cause SQL Injection
Generally, I treat everything I get from the user to a stripslashes_safe-like function and then use prepared queries for the actual action. PEAR: B and PHP DBO can emulate prepared queries for databases that don't support them (such as MySQL pre-4.1).
A prepared query is a query that contains question marks:
Code:
SELECT * FROM table WHERE name = ?
Then you can substitute these parameters with actual values. The cool thing about this is that the database driver takes care of correct quoting and escaping. All you have to do is make sure the parameters aren't already quoted.
All the buzzt
 CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
-
Dec 24th, 2005, 02:48 PM
#5
Thread Starter
Addicted Member
Re: Would allowing " and \ cause SQL Injection
(I'm using MySQL)
Would using addslashes() work?
"Quis custodiet ipsos custodes?"
Juvenal
Mete the Hun wanted to live in peace with the Chinese. So he gave the Chinese Emperor his favorite horse, best swords in his armory, and lots of other cool stuff. But then the Chinese Emperor asked for one thing. A useless land through the north. It was a small, useless, unproductive, uninhabited piece of land. But Mete the Hun's answer was certain:
I gave you horses, weapons and much more which belonged to me. But the lands are not mine, it's my nation's and I'm ready to fight, kill and die for just an inch my country
-=Joey Jordison R0CKS!! =-
-
Dec 24th, 2005, 02:56 PM
#6
Re: Would allowing " and \ cause SQL Injection
addslashes() correctly escapes strings for MySQL, but beware the stuff we talked about.
All the buzzt
CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
-
Jan 7th, 2006, 01:01 PM
#7
Fanatic Member
Re: Would allowing " and \ cause SQL Injection
I mostly allow every last character in passwords and the first thing I do is MD5 (one way encrypt) so it doesn't matter but no one can read the password if they get the database.
With user names again this is a special case and I would carefully do a replace for all the characters I wanted to allow and replace with HTML escape codes so that no HTML injection can hurt things (HTML injection also called a site to site scriptting attack is used with javascript and often used to steal cookies.)
In all other cases I would clean up all input that might come from a user (even hidden values in forms (trust nothing)) so that the SQL sequence is safe.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote
