Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Community News:
MySQL patch mysql_real_escape_string()
Jun 01, 2006 @ 07:16:11

Greg from Serberus.net has written in today to let us know about a new MySQL patch that's been released which fixes some of the issues PHPers were seeing with the database, including problems with the mysql_real_escape_string function.

MySQL have finally released a patched version of MySQL 5 which addresses the potential SQL injection issue with mysql_real_escape_string() and changing character set - see here.

They also describe a workaround for users who can't upgrade to the latest release.

He also mentiones that this was as issue that Ilia Alshanetsky has blogged about this very issue back in January.

tagged: mysql patch fix mysql_real_escape_string mysql patch fix mysql_real_escape_string

Link:

Community News:
MySQL patch mysql_real_escape_string()
Jun 01, 2006 @ 07:16:11

Greg from Serberus.net has written in today to let us know about a new MySQL patch that's been released which fixes some of the issues PHPers were seeing with the database, including problems with the mysql_real_escape_string function.

MySQL have finally released a patched version of MySQL 5 which addresses the potential SQL injection issue with mysql_real_escape_string() and changing character set - see here.

They also describe a workaround for users who can't upgrade to the latest release.

He also mentiones that this was as issue that Ilia Alshanetsky has blogged about this very issue back in January.

tagged: mysql patch fix mysql_real_escape_string mysql patch fix mysql_real_escape_string

Link:

Ilia Alshanetsky's Blog:
mysql_real_escape_string() versus Prepared Statements
Jan 23, 2006 @ 06:58:18

Ilia Alshanetsky also has hos own look today at the "mysql_real_escape_string versus addslashes" debate that's going on, looking more at why there's even an issue here (with addslashes).

Chris has written a compelling piece about how the use of addslashes() for string escaping in MySQL queries can lead to SQL injection through the abuse of multibyte character sets. In his example he relies on addslashes() to convert an invalid multibyte sequence into a valid one, which also has an embedded ' that is not escaped. And in an ironic twist, the function intended to protect against SQL injection is used to actually trigger it.

The problem demonstrated, actually goes a bit further, which even makes the prescribed escaping mechanism, mysql_real_escape_string() prone to the same kind of issues affecting addslashes().

He shows code examples, creating a simple SQL injection that uses mysql_real_escape_string to cause the same issue - all based around the default characterset that the MySQL server uses. His suggested solution? Prepared statements... (like what things such as PDO offer)

tagged: addslashes mysql_real_escape_string debate prepared statements addslashes mysql_real_escape_string debate prepared statements

Link:

Ilia Alshanetsky's Blog:
mysql_real_escape_string() versus Prepared Statements
Jan 23, 2006 @ 06:58:18

Ilia Alshanetsky also has hos own look today at the "mysql_real_escape_string versus addslashes" debate that's going on, looking more at why there's even an issue here (with addslashes).

Chris has written a compelling piece about how the use of addslashes() for string escaping in MySQL queries can lead to SQL injection through the abuse of multibyte character sets. In his example he relies on addslashes() to convert an invalid multibyte sequence into a valid one, which also has an embedded ' that is not escaped. And in an ironic twist, the function intended to protect against SQL injection is used to actually trigger it.

The problem demonstrated, actually goes a bit further, which even makes the prescribed escaping mechanism, mysql_real_escape_string() prone to the same kind of issues affecting addslashes().

He shows code examples, creating a simple SQL injection that uses mysql_real_escape_string to cause the same issue - all based around the default characterset that the MySQL server uses. His suggested solution? Prepared statements... (like what things such as PDO offer)

tagged: addslashes mysql_real_escape_string debate prepared statements addslashes mysql_real_escape_string debate prepared statements

Link:

Chris Shiflett's Blog:
The addslashes() Versus mysql_real_escape_string() Debate
Jan 23, 2006 @ 06:46:32

In his latest blog entry, Chris Shiflett looks at a debate that's been going for a while now - addslashes() versus mysql_real_escape_string().

Last month, I discussed Google's XSS Vulnerability and provided an example that demonstrates it. I was hoping to highlight why character encoding consistency is important, but apparently the addslashes() versus mysql_real_escape_string() debate continues. Demonstrating Google's XSS vulnerability was pretty easy. Demonstrating an SQL injection attack that is immune to addslashes() is a bit more involved, but still pretty straightforward.

The reminder of the post explains the difference, how how protects you when the other doesn't (addslashes), and a simple example of how something like that could be accomplished, including code...

tagged: addslashes mysql_real_escape_string debate protect sql injection addslashes mysql_real_escape_string debate protect sql injection

Link:

Chris Shiflett's Blog:
The addslashes() Versus mysql_real_escape_string() Debate
Jan 23, 2006 @ 06:46:32

In his latest blog entry, Chris Shiflett looks at a debate that's been going for a while now - addslashes() versus mysql_real_escape_string().

Last month, I discussed Google's XSS Vulnerability and provided an example that demonstrates it. I was hoping to highlight why character encoding consistency is important, but apparently the addslashes() versus mysql_real_escape_string() debate continues. Demonstrating Google's XSS vulnerability was pretty easy. Demonstrating an SQL injection attack that is immune to addslashes() is a bit more involved, but still pretty straightforward.

The reminder of the post explains the difference, how how protects you when the other doesn't (addslashes), and a simple example of how something like that could be accomplished, including code...

tagged: addslashes mysql_real_escape_string debate protect sql injection addslashes mysql_real_escape_string debate protect sql injection

Link: