Is pg_escape_string or mysql_escape_string enough to sanitize a string before inserting data into a database table?
2
-
Possible Duplicate stackoverflow.com/questions/2487357/…OM The Eternity– OM The Eternity2010-04-29 10:36:21 +00:00Commented Apr 29, 2010 at 10:36
-
1Read this: stackoverflow.com/questions/110575/…Manos Dilaverakis– Manos Dilaverakis2010-04-29 10:57:23 +00:00Commented Apr 29, 2010 at 10:57
Add a comment
|
5 Answers
The word “sanitize” is highly questionable. It implies a worldview where certain characters are “bad” and have to be filtered at source. This is misguided.
Getting text in suitable format to go in an SQL query is about escaping out-of-band characters to their SQL literal form, not about removing “bad” characters. If you want to validate user input on entry to your application (eg. verifying a telephone number has no letters in it, or getting rid of unwanted control characters) then that's fine. But that's an application-specific validation concern, and an entirely different issue to anything to do with SQL-escaping or HTML-escaping. Those are output-stage concerns.
mysql_escape_string is potentially not enough to safely escape text for inclusion in an SQL string literal. On a connection that might be using some East Asian character sets as the encoding, or some non-default SQL syntax options, it will generate malformed strings that can permit SQL-injection. mysql_real_escape_string is better. However, parameterised queries avoid the issue and are to be preferred where available.
pg_escape_string uses the connection, like mysql_real_escape_string does, so I would expect it to be safe. But still, parameters! In pg_ you get pg_query_params so there's no excuse not to use them.
Comments
For the data - yes. Just don't forget to enclose it in quotes too.
But parametrized queries considered better, because escaping rules seems too complicated for average PHP programmer.
Note that either escaping or parameters has nothing to do with identifiers or operators. Say, field names cannot be sanitized at all. Escaping can't help with LIMIT parameters too.
answered Apr 29, 2010 at 12:23
Your Common Sense
158k42 gold badges226 silver badges374 bronze badges
Comments
No.
Blindly calling mysql_real_escape_string is not enough in order to prevent SQL injection attacks. From the manual:
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
2 Comments
Your Common Sense
so what? what you'd recommend then?
bobince
LIKE-escaping is another layer of escaping on top of string literal escaping. Failing to LIKE-escape isn't a security risk, but it means that if someone tries to do a search for “100% great!” they'll get all results with “100” followed by any number of characters followed by “ great!”. LIKE-escaping is tricky even once you've sorted the literal escaping problem. stackoverflow.com/questions/2106207/…
(See comments elsewhere)
yes.
Comments
2 Comments
symcbean
HTMLpurifier and ___real_escape_string() do completely different things
bobince
And even for preventing XSS attacks, running HTML Purifier over the input is entirely the wrong thing: it will mess up valid input and won't protect against all attacks. The right way to stop XSS when using text strings is to use
htmlspecialchars() at the output stage. HTML Purifier is useful only for those rare cases where you need to let the user input literal markup.