vb.org Archive - Security: SQL Insertion

vb.org Archive (https://vborg.vbsupport.ru/index.php)

- vB3 General Discussions (https://vborg.vbsupport.ru/forumdisplay.php?f=111)

- - Security: SQL Insertion (https://vborg.vbsupport.ru/showthread.php?t=93679)

VBCoder

08-05-2005 03:16 PM

Security: SQL Insertion

Does the DB query_insert handle escaping of nasty characters (parenthesis, commas, quotes, etc.) - to avoid SQL insertion attacks, or just plain SQL corruption?

(I know the Perl DBI does all of this for you, saving Perl programmers from many of the headaches - and breakins - common to PHP)

Also, why does the vB code *never* use the query_insert method?

Andreas

08-05-2005 03:43 PM

It doesn't, it's just a shortcut.

But AFAIK the new DB Class supports prepared statements, if that is what you want.

Edit: mysqli supports it, the new DB class doesn't.

VBCoder

08-05-2005 04:40 PM

Yeah, mysqli is great. Once you've used the power of DBI over roll-your-own-string-SQL, you can't go back.

Kirby, then, can I ask you: What is the best way, in vB / PHP, to ensure that all data passed to the INSERT is quoted and escaped properly?

(Doing it by hand can get tricky, with nulls, quotes, slashes, charsets, etc. - especially when you don't want to strip anything, just get it to the DB safely).

sabret00the

08-05-2005 04:47 PM

addslashes();

but make sure you use it on a new variable, not $_POST/$_GET/$_REQUEST/$_SERVER/$_COOKIE/etc

Andreas

08-05-2005 05:00 PM

$db->escape_string()

The Geek

08-05-2005 05:01 PM

$db->escape_string($string) is the best way AFAIK.

VBCoder

08-05-2005 05:33 PM

Yeah, addslashes is not sufficient, for a lot of reasons.

I took a look at escape_string - it defaults to mysql_escape_string(), which is good, except:

Quote:

Originally Posted by PHP Docs

This function became deprecated, do not use this function. Instead, use mysql_real_escape_string().

But at least we're somewhere...

It's a shame that PHP programmers have to go through such hoolahoops for what should be basic DB class functionality (again, see DBI for an example)... Building your own string is not only ineffecient, (and a hassle for the programmer) - it opens the door to a lot of security issues and internationalization bugs

Andreas

08-05-2005 05:41 PM

Quote:

Originally Posted by VBCoder

I took a look at escape_string - it defaults to mysql_escape_string()

Not really ;)

PHP Code:


		
			
if (function_exists($this->functions['real_escape_string']))

{

    $this->functions['escape_string'] = $this->functions['real_escape_string'];

}

I guess vB does not use prepared statements due to compatibilty reasons.

VBCoder

08-05-2005 05:47 PM

Kirbs, you are the master!

All times are GMT. The time now is 04:50 PM.

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01246 seconds Memory Usage 1,724KB Queries Executed 10 (?)
More Information
Template Usage: (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)bbcode_php_printable (2)bbcode_quote_printable (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_navbar_search (1)printthread (9)printthreadbit (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit showthread	Included Files: ./printthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/class_bbcode_alt.php ./includes/class_bbcode.php ./includes/functions_bigthree.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete printthread_start bbcode_fetch_tags bbcode_create bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete printthread_post printthread_complete
Messages: