Geek asks and answers

Are single quotes automatically escaped in PHP? Then why do you need cleaning?

I am reading about web security, and one obvious topic to consider is SQL injection . I am trying to set up a PHP base page where I can do SQL injection (this is a local server). However, it looks like my code (or server) automatically escapes single quotes. Is this a new standard or is there activation on my server that I don’t know about? Is there a need to clear input?

Here is an example of my server code:

$foo = $_POST['foo'];
$sql = "SELECT * FROM bar WHERE foo='" . $foo . "'";

connectoTo("database");
query($sql);

Where connectTo () connects to the database server and selects the database, and query () is the usual procedure used to execute the query. There is no cleaning that is always so. However, when I submit

$_POST['foo'] = "' OR 1=1 #"

PHP page gets it like

$_POST['foo'] = "\' OR 1=1 #"

foo ? $ _GET.

- ? ?

+3
2

PHP , POST/GET, Magic Quotes. , SQL-.

, SQL- , . PHP .

PHP ! PHP.ini magic_quotes_gpc off, :

if (get_magic_quotes_gpc()) {
    $process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
    while (list($key, $val) = each($process)) {
        foreach ($val as $k => $v) {
            unset($process[$key][$k]);
            if (is_array($v)) {
                $process[$key][stripslashes($k)] = $v;
                $process[] = &$process[$key][stripslashes($k)];
            } else {
                $process[$key][stripslashes($k)] = stripslashes($v);
            }
        }
    }
    unset($process);
}

: http://www.php.net/manual/en/security.magicquotes.disabling.php

, SQL-. , , . , , . - / .

- , , .

INSERT INTO someTable (field1, field2) VALUES (:field1, :field2);

:field1 :field2, . , . , (/ , ).

PHP - PDO. PDO , :

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

+8

magic_quote php.ini PDO.

+6

More articles:


All Articles