SQL Injection.. is it really that simple?

Psybadek · #1 (**permalink**) 01-18-09, 05:10 PM

I dont know why, but now that I'm taking the time to secure my script I really want to know, is all I need to do to prevent it is to just wrap whats being inputted in mysql_real_escape_string?

End User · #2 (**permalink**) 01-18-09, 07:21 PM

Quote:

Originally Posted by Psybadek

I dont know why, but now that I'm taking the time to secure my script I really want to know, is all I need to do to prevent it is to just wrap whats being inputted in mysql_real_escape_string?

Trust me, mysql_real_escape_string() is easily bypassed. It will NOT keep you safe and that's a fact. Check here for lots of examples that will easily bypass mysql_real_escape_string():

http://ha.ckers.org/xss.html

If you can protect against all of those examples, you're *probably* safe (but I wouldn't count on it).

If you can't protect against all of those, you aren't safe.

mysql_real_escape_string() is like an airbag that always works right up until it's needed.

Psybadek · #3 (**permalink**) 01-18-09, 07:56 PM

OK, so is there any good tutorials on preventing sql injection? I figured it couldn't be that simple.

End User · #4 (**permalink**) 01-18-09, 09:39 PM

Well, you could Google for "preventing sql injection" but that would almost be like cheating.

Psybadek · #5 (**permalink**) 01-18-09, 09:51 PM

I have but all they tell me to do is use mysql_real_escape_string

End User · #6 (**permalink**) 01-19-09, 03:31 PM

Quote:

Originally Posted by Psybadek

I have but all they tell me to do is use mysql_real_escape_string

Out of 4.6 million results, I'd bet there's one that doesn't suggest mysql_real_escape_string() is the ultimate solution.

therocket954 · #7 (**permalink**) 01-20-09, 09:03 AM

That is fantastic.

Thanks End User.

I've been using a combination of preg_match(), mysql_real_escape_string(), and a bunch of if statements... this is much cleaner

End User · #8 (**permalink**) 01-21-09, 08:35 AM

Quote:

Originally Posted by therocket954

That is fantastic.

Thanks End User.

I've been using a combination of preg_match(), mysql_real_escape_string(), and a bunch of if statements... this is much cleaner

You're welcome, and I'm glad you like it. I can't take full credit for it, however- I started with some code scavenged from CodeIgniter and added some additional tweaks, checks, and functionality. I think it's reasonably safe. If someone can find a way to spoof that function, I'd be proud to have them hijack my server and make it part of their botnet.

.

sushi4664 · #9 (**permalink**) 01-25-09, 07:00 PM

Woah...impressive function...I am about to borrow that. How can I attribute it? (I hate to take functions other people wrote without stating that I didn't write it)

Psybadek · #10 (**permalink**) 01-25-09, 07:16 PM

so your saying your not going to give credit for the function?