Is Double escape String incorrect?

Question

Is Double escape String incorrect?

I have a database class that automatically deletes input lines before creating a query using mysqli_real_escape_string (). But it may be that in the script the string will be escaped and then passed to the database class, which will delete it again. Maybe this is wrong? What can happen?

+3

string php mysql escaping

Shoe Nov 13 '10 at 6:33

source share

6 answers

( ), , , , - , unescape .

, - ( ), ( ) .., .

+6

Amber 13 . '10 6:40

, .

, , .

+3

Rotsor 13 . '10 6:40

, . , (, HTML-).

+1

Yuliy 13 . '10 6:41

, , , let\go.

SQL Injection , "" , . let go , . "unescape" , . , escape-.

Escaping - PHP, , - magic_quote(). http://php.net/manual/en/security.magicquotes.php , . script, php.ini, , :

if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
    foreach ($val as $k => $v) {
        unset($process[$key][$k]);
        if (is_array($v)) {
            $process[$key][stripslashes($k)] = $v;
            $process[] = &$process[$key][stripslashes($k)];
        } else {
            $process[$key][stripslashes($k)] = stripslashes($v);
        }
    }
}
unset($process);
}

, http://www.php.net/manual/en/security.magicquotes.disabling.php

, , , .

+1

Sébastien VINCENT 13 . '10 6:44

MySQL , .

PHP , "" , , . " ".

+1

Knubo 13 . '10 8:01

Kris Hardy · Accepted Answer · 2010-11-13T07:05:08+0000

When you first go through the mysqli_real_escape_stringfollowing characters, they are escaped by inserting \in front of each of the dangerous characters:

NUL (ASCII 0), \ n, \ r, \, ', "and Control-Z:

NUL (chr(0)) becomes "\0" (chr(92).chr(48))
\n (chr(13)) becomes "\n" (chr(92).chr(110))
\r (chr(10)) becomes "\r" (chr(92).chr(114))
\ (chr(92)) becomes "\\" (chr(92).chr(92))
' (chr(39)) becomes "\'" (chr(92).chr(39))
" (chr(34)) becomes "\"" (chr(92).chr(34))
Control-Z (chr(26)) becomes "\Z" (chr(92).chr(90))

In the second pass through mysqli_real_escape_string, it is \again reset:

"\0" (chr(92).chr(48)) becomes "\\0" (chr(92).chr(92).chr(48))
"\n" (chr(92).chr(110)) becomes "\\n" (chr(92).chr(92).chr(110))
"\r" (chr(92).chr(114)) becomes "\\r" (chr(92).chr(92).chr(114))
"\\" (chr(92).chr(92)) becomes "\\\\" (chr(92).chr(92).chr(92).chr(92))
"\'" (chr(92).chr(39)) becomes "\\'" (chr(92).chr(92).chr(39))
"\"" (chr(92).chr(34)) becomes "\\"" (chr(92).chr(92).chr(34))
"\Z" (chr(92).chr(90)) becomes "\\Z" (chr(92).chr(92).chr(90))

- , "\" , .

- : 1) 2) , . MySQL ( , ) . ( , chr (0), ).

, , . .

Is Double escape String incorrect?

More articles: