The Arcive of Official vBulletin Modifications Site.

VBCoder · #1 08-05-2005, 03:16 PM

Does the DB query_insert handle escaping of nasty characters (parenthesis, commas, quotes, etc.) - to avoid SQL insertion attacks, or just plain SQL corruption?

(I know the Perl DBI does all of this for you, saving Perl programmers from many of the headaches - and breakins - common to PHP)

Also, why does the vB code *never* use the query_insert method?

Andreas · #2 08-05-2005, 03:43 PM

It doesn't, it's just a shortcut.

But AFAIK the new DB Class supports prepared statements, if that is what you want.

Edit: mysqli supports it, the new DB class doesn't.

VBCoder · #3 08-05-2005, 04:40 PM

Yeah, mysqli is great. Once you've used the power of DBI over roll-your-own-string-SQL, you can't go back.

Kirby, then, can I ask you: What is the best way, in vB / PHP, to ensure that all data passed to the INSERT is quoted and escaped properly?

(Doing it by hand can get tricky, with nulls, quotes, slashes, charsets, etc. - especially when you don't want to strip anything, just get it to the DB safely).

sabret00the · #4 08-05-2005, 04:47 PM

addslashes();

but make sure you use it on a new variable, not $_POST/$_GET/$_REQUEST/$_SERVER/$_COOKIE/etc

Andreas · #5 08-05-2005, 05:00 PM

$db->escape_string()

The Geek · #6 08-05-2005, 05:01 PM

$db->escape_string($string) is the best way AFAIK.

VBCoder · #7 08-05-2005, 05:33 PM

Yeah, addslashes is not sufficient, for a lot of reasons.

I took a look at escape_string - it defaults to mysql_escape_string(), which is good, except:

Quote:

Originally Posted by PHP Docs

This function became deprecated, do not use this function. Instead, use mysql_real_escape_string().

But at least we're somewhere...

It's a shame that PHP programmers have to go through such hoolahoops for what should be basic DB class functionality (again, see DBI for an example)... Building your own string is not only ineffecient, (and a hassle for the programmer) - it opens the door to a lot of security issues and internationalization bugs

Andreas · #8 08-05-2005, 05:41 PM

Quote:

Originally Posted by VBCoder

I took a look at escape_string - it defaults to mysql_escape_string()

Not really

PHP Code:


			
if (function_exists($this->functions['real_escape_string']))

{

    $this->functions['escape_string'] = $this->functions['real_escape_string'];

}

I guess vB does not use prepared statements due to compatibilty reasons.

VBCoder · #9 08-05-2005, 05:47 PM

Kirbs, you are the master!

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.05035 seconds Memory Usage 2,243KB Queries Executed 13 (?)
More Information
Template Usage: (1)SHOWTHREAD (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (1)ad_showthread_beforeqr (1)ad_showthread_firstpost (1)ad_showthread_firstpost_sig (1)ad_showthread_firstpost_start (1)bbcode_php (2)bbcode_quote (1)footer (1)forumjump (1)forumrules (1)gobutton (1)header (1)headinclude (1)navbar (3)navbar_link (120)option (9)post_thanks_box (9)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (9)post_thanks_postbit_info (9)postbit (9)postbit_onlinestatus (9)postbit_wrapper (1)spacer_close (1)spacer_open (1)tagbit_wrapper Phrase Groups Available: global inlinemod postbit posting reputationlevel showthread	Included Files: ./showthread.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showthread_start showthread_getinfo forumjump showthread_post_start showthread_query_postids showthread_query bbcode_fetch_tags bbcode_create showthread_postbit_create postbit_factory postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start tag_fetchbit_complete forumrules navbits navbits_complete showthread_complete
Messages:

The Arcive of Official vBulletin Modifications Site.

It is not a VB3 engine, just a parsed copy!