[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

whe would I need to use real_escape_string() function in mysqli class

whe  would I need to use real_escape_string()  function in mysqli class I read the
explantion in http://php.net/manual/en/function.stripslashes.php

but im not sure I understand what it does and when to use it
0
Nura111
Asked:
Nura111
  • 3
  • 3
  • 2
  • +1
2 Solutions
 
Marco GasiFreelancerCommented:
A note: your link is to striplslahes not to real_escape_string() function: a typo?

real_escape_string() function places a backslash before some dangerous characters such as NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. (http://it.php.net/manual/en/mysqli.real-escape-string.php) This is useful every time you have to insert values into a database preventing to insert bad data. As php manual says, you have to use this function every time you send a query to mysql.
0
 
Ray PaseurCommented:
Use it on everything that is not an internally generated integer.  It will cause no harm and may save your bacon some day!
0
 
Nura111Author Commented:
is ti also a security issue if not using it?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
Ray PaseurCommented:
Yes, it can prevent a foreign agent from injecting information into your queries.  Look up SQL injection on this and other sites
http://en.wikipedia.org/wiki/SQL_injection
0
 
Cornelia YoderArtistCommented:
SQL Injection hacking uses certain characters to get access to your database structure and from that to your data.  mysql_real_escape_string() safeties those characters so they cannot be used in a query for hacking purposes.

ALL inputs, and I mean ALL, even hidden inputs, need to be safetied against hacking if they are ever used in any way in any query.

Most inputs should be checked directly ... if it is supposed to be a number, check that it is a number, if it is supposed to be one of three values, check that it is one of those three values, and etc.

Text input is the big problem, since it can be made to contain those special characters, and is not easily checked with a whitelist or value type, so you need to use a safety mechanism such as mysql_real_escape_string() to guard it.

EVERY input must be checked, remember that and you won't be coming back here next month asking how to recover from hacking :):)
0
 
Nura111Author Commented:
Is it the same issue as not using htmlspecialchars() on a input from a user?
Is there a need to use both?
0
 
Nura111Author Commented:
another thing : so you mean to use:  mysql_real_escape_string()
on the input before its been used to insert to the db or other right?


so what is the issue when using {$row['id']} in an html form e.g
<td>{$row['id']}</td>
        <td>{$row['timestamp']}</td>
        <td>{$row['email_address']}</td>
        <td>{$fromAddress}</td>
 without htmlspecialchars() before I been told its a secruity issue as well I don't understand why
0
 
Cornelia YoderArtistCommented:
You do not need to use both.  I personally prefer and use htmlspecialchars() on all text input.

The difference is that mysql_real_escape_string just safeties the SQL injection hacking, but not certain other kinds of things.   htmlspecialchars changes ALL special characters into their html &#xxx code equivalents.

The only drawback to using htmlspecialchars is that it takes a few more bytes in your database ... each special character takes 5 bytes instead of 1 ... so if you have a LOT of text with special characters stored, that might be a problem.

The advantage of using htmlspecialchars is that it safeties more things, for example not letting some evil javascript into your database that might be exploited later.
0
 
Ray PaseurCommented:
If you accept and store any external textual input, you need to filter it.  If, for example, you're expecting an English-language name you can expect that it will contain alphabetic characters, the space, apostrophe, hyphen, comma, and the period.  Example:

Leonard O'Pinth-Garnell, Jr.

A regular expression that would remove all the other stuff would look something like this (the caret inside the character class implies negation):

/[^ A-Z-,.]/i

So each time you received a name from an external source, you would apply the regular expression and you would thereby accept only known good values for your name field.

If you have unfiltered or marginally filtered data in your data base, you need to escape it before you send it to the browser output stream.  Otherwise you risk becoming an attack vector against your clients.  Example:

echo '<td>';
echo htmlentities($row["usertext"]);
echo '</td>';

I prefer to escape the data on the outbound side of things, rather than escaping the data before storing it.  If you escape before you put the data into the data base, you may have munged the data, and in any case, you have not stored the data that was sent to you, you have stored something that is a derivative work.  Search algorithms may not work correctly on the escaped data.  The origin of the term is uncertain, but a mung operation makes changes to the data in a way that may be irrevocable and that loses some of the original information.

Required reading:
http://php.net/manual/en/security.php

Old, but still valuable:
http://phpsec.org/projects/guide/

Now having said that, you need to be aware that the whole field of security is growing rapidly.  The US Government has just put a crack team of 115 engineers to work at the National Security Agency for the purpose of studying the field.  The University of Maryland offers a full-time, four-year college major in IT Security.  So you must not assume that you can follow a few "best practices" and things will work out OK.  You need to be learning about the new threats all the time and reviewing your code to see if there are new threats that might cause you to need to refactor your old code.  It's never going to end, so you might as well join the rest of us who do our best to keep up to date on the threats that are around us.

Best regards, ~Ray
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now