Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


mysql_real_escape_string or strip_tags - Which is more Secure
New on LowEndTalk? Please Register and read our Community Rules.

mysql_real_escape_string or strip_tags - Which is more Secure

fresher_06fresher_06 Member
edited November 2012 in General

Hi All ,

I am using the below function named it as "protect" and passing every POST variable through it before using it in my PHP script.

function protect($string){ $string = trim(strip_tags(addslashes($string))); return $string;
And then using it as below --

$Customer_id = protect($_POST['cust_id']);

My question is which is more secure , the below mysql_real_escape_string or the above protect function--

$Customer_id = mysql_real_escape_string($_POST['cust_id']);

In both the cases I am going to use the $Customer_id in the MySql query, so just worried about which one us more secure Injection wise.

Thanks

Comments

  • NickMNickM Member
    edited November 2012

    If $Customer_id is supposed to be an integer, you should use $Customer_id = filter_var($_POST['cust_id'], FILTER_VALIDATE_INT);

    Edit: And use PDO for your queries! mysql_* is depreciated.

  • @NickM , if it is not an integer , then what should I use .. does mysql_real_escape_string is still secure.
    And I d understand that I need to change whole of my application as an PDO ,but have to live with mysql_* as of now.

  • joepie91joepie91 Member, Patron Provider

    Bad, bad, bad. Very very bad.

    1. Don't use mysql_*. Use PDO.
    2. strip_tags is only intended to strip HTML tags from your content - typically you'll want to use htmlspecialchars (which makes HTML show up as text instead of being parsed as HTML), and you should only ever use it for output. You can't make a 'universal' "protect" function.
    3. Why are you using trim()?
  • @fresher_06
    @joepie91

    In SQL you use quotes to "jail" a variable.
    Neither of all functions mentioned are good, only addslashes is.
    Addslashes makes sure that SQL inject skiddies can't "escape" the jail.

  • joepie91joepie91 Member, Patron Provider

    @joepie91

    In SQL you use quotes to "jail" a variable.

    Neither of all functions mentioned are good, only addslashes is.
    Addslashes makes sure that SQL inject skiddies can't "escape" the jail.

    You're trolling, right?

    Please tell me you're trolling.

  • htmlspecialchars(mysql_real_escape_string($string));

  • @joepie91

    This is the only thing you have to do against SQL injection.
    I do believe the OP wants validate that, look the number up in the database or if that is the case check if it's a number.

  • None, use PDO.

  • joepie91joepie91 Member, Patron Provider
    edited November 2012

    @BronzeByte said: This is the only thing you have to do against SQL injection.

    I do believe the OP wants validate that, look the number up in the database or if that is the case check if it's a number.

    I am just going to assume you're not trolling, for the sake of not letting misinfo spread on about this.

    If you believe addslashes is 'the right way to do things' (EDIT: and you don't bother to look up what other people mention), you are a complete retard.

    I'm not even going to bother trying to explain why (I've done that plenty of times, feel free to look up my past thread on this topic) - it suffices to say that the only valid methods to secure your shit are to use PDO for database interaction, and to use either htmlspecialchars or striptags on output, depending on what the desired result is.

  • @joepie91 .I do understand that I should be using the PDO , learnt my lesson, will try to rewrite my whole application in PDO but as of now I have to live to mysql_* and trying to find out the best way to safeguard against Injection ..

    My understanding till now --

    1) Use filter_var($_POST['cust_id'], FILTER_VALIDATE_INT); -- if I expect an Integer as an Input
    2) For Non integer as an input -- not sure yet
    3) mysql_real_escape_string -- not sure in exactly what condition should I use it.

    Thanks

  • @joepie91

    I am not a retard...
    But when somebody mentions "security" in SQL queries then I think of injection.
    So basically you just want to see if the input it clean, use a regex or simular or use database entries.

  • If you're forced to use the mysql_* functions, then mysql_real_escape_string should do the trick for strings.

  • @fresher_06

    Use filter_var($_POST['cust_id'], FILTER_VALIDATE_INT); -- if I expect an Integer as an Input

    That's an excellent way of doing it! :)

    mysql_real_escape_string -- not sure in exactly what condition should I use it.

    You should always use when the end user can enter its own string.

  • joepie91joepie91 Member, Patron Provider

    @BronzeByte said: I am not a retard...

    Then stop acting like one.

    @BronzeByte said: But when somebody mentions "security" in SQL queries then I think of injection.

    Which is why you use PDO because SQLi is not a possibility there. It helps if you actually read up on what people say instead of just assuming your solution is better.

    @BronzeByte said: So basically you just want to see if the input it clean, use a regex or simular or use database entries.

    This makes no sense at all. You should probably explain what you mean more clearly.

  • @joepie91 said: You're trolling, right?

    Please tell me you're trolling.

    You are aware that @BronzeByte talked about how he DDoSses iWipo in another thread, right?

  • @gsrdgrdghd

    How is that relevant?

  • @BronzeByte said: In SQL you use quotes to "jail" a variable.

    Neither of all functions mentioned are good, only addslashes is.
    Addslashes makes sure that SQL inject skiddies can't "escape" the jail.

    LOL

  • Can anyone tell me what is the pros and cons of PDO vs MySQLi?

  • joepie91joepie91 Member, Patron Provider

    @seikan said: Can anyone tell me what is the pros and cons of PDO vs MySQLi?

    Mostly, PDO is database-independent - you can use the same code (or well, that goes for all the generic stuff and prepared queries) for every kind of database, by just modifying the 'connection string'. Additionally, I'm not sure if MySQLi does prepared/parameterized queries.

  • @joepie91 said: Additionally, I'm not sure if MySQLi does prepared/parameterized queries.

    It does, but it doesn't allow you to use named parameters.

  • If not PDO, then MySQLi (improved, which oddly isn't turned on by default in most cpanel/whm installations).

Sign In or Register to comment.