I'm developing my personal web site using php. everything is ok but I just read mysql_real_escape_string manual in php.net and found two things:
- This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
- mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
I have two questions:
1-what are these exceptions?
2- how to escape those characters?
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
To my great disappointment, the manual page says complete rubbish, and they refuse to make it correct.
So, quite contrary, there are only few cases when you need this function. So to say ONLY ONE: when you are adding a string into SQL query.
mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
It doesn't matter too much. As long as you are using LIKE operator on purpose, these characters won't do any harm.
But if you want to escape the string going to LIKE statement, you can use this code
$like = addCslashes($like,'\%_');
(note the slash - it is also required to be escaped as manual stating it. also note the C letter in the function name).
After this procedure you may use the resulting $like variable whatever way you are using to build your queries - either quote and escape them or use in the prepared statement.
addCslashes($data,"%_"); will do the trick
\% in your SQL.
mysql_real_escape_string in my sql queries. is it enough to prevent sql injection? if not, can you give me a good resource on this topic?I 'm not sure what exceptions the manual is referring to when talking about making data safe. You could say that the exception is when the data is already known to be safe. For example, here are a few cases that come to mind:
For example, if you have $id = intval($_GET['id']) then you do not need to escape $id before injecting it into a query.
However! It can never hurt you to escape all input, and doing so eliminates the chance that you introduce vulnerabilities in your code (e.g. if you forget to escape, if the requirements change, or anything really). So I recommend getting into the habit of escaping everything and forgetting about "exceptions".
As for the % and _ characters as part of the input, these do not need to be escaped unless you are going to feed this input to a command that recognizes them. So for example, if you have a query like this:
$term = $_GET['term'];
$sql = sprintf("SELECT FROM table WHERE column LIKE '%%s%'",
mysql_real_escape_string($term));
In this case, if the user types a % as part of $term it's reasonable to assume that they want to actually search for a literal %. Therefore in such cases you should escape % by replacing it with \% (\ is the default escape character). str_replace or strtr are two good options for this.
mysql_real_escape_string = safe. It has everything to do with safety indirectly, because it's a prerequisite for what provides safety directly (quoting). Thanks for the DV anyway.However! It can never hurt you to escape all input, congratulations, you just invented magic quotes feature!You may write your own function ;) See this thread for more information.
Else you may use the PDO library or any other such libraries.
MSSQL not mysql:-)
LIKEclauses, and is not relevant for using string data in other contexts.