0

When I send ");-- from an input field to my localhost PHP server, it AUTOMATICALLY converts it to

\");--

It seems great, except that I don't know how trustworthy this behavior is. Although it seems to avoid SQL injections, my development environment is not the same as the production environment and I'm afraid that the production environment may not have this sort of protection automatically activated...

Why does PHP does this(convert the input without having to use mysql_real_escape_string)? Does it always do it or only with certain extensions? Is it safe to rely on this behavior to prevent SQL injections?

Improve this question

3 Answers 3

Reset to default
6

It seems that you have Magic Quotes enabled. But you better disable this option or revert them. mysql_real_escape_string is more secure.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Yes, I had heard about them, but I never knew exactly what they were. I felt unsafe since I didn't know exactly what was going on. That's why I asked this. I'm going to turn it off so I can get control over my server again.
I recommend you to read one of the questions here on SO that explain why Magic Quotes are bad practice and show the difference between Magic Quotes and mysql_real_escape_string().
Actually, if you have the option, use prepared statements instead of escaping data.
I'm not sure my server supports them, but I'll remember that name. The concept seems interesting, but doesn't seem to magically remove the injection threat - mysql_real_escape_string still seems to be needed.
PDO has prepared statements. That has been standard from version 5.1. You don't use explicit escaping (mysql_real_escape_string) when you use prepared statements.
1

This "feature" of PHP is known as "magic quotes". As 'magic' as they may be, it is extremely bad practice to use them, as they do little more than give a false sense of security. Thankfully they have been removed from PHP 6 (in development).

A more detailed list of criticisms can be found in this Wikipedia article.

The PHP manual describes various ways to disable magic quotes.

Improve this answer

Comments

1

You might want to get into talking to the database using an abstraction layer like Zend_Db. For example, if you create a select statement by instantiating a Zend_Db_Select, it would look like this:

//$_GET['thing'] is automatically escaped 
$select = $zdb->select()->from('things')->where('name = ?',$_GET['thing']);
$result = $zdb->fetchRow($select->__toString());//__toString generates a really pretty, vendor independent query

//a plain vanilla query would look like this:
$result = $zdb->fetchRow('select * from things where name = ?', $zdb->quote($_GET['thing']);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.