Geek Answers Handbook

When should I NOT use mysql_real_escape_string

I saw this comment .... http://www.php.net/manual/en/function.mysql-real-escape-string.php#93005

And began to wonder why this would be a bad idea.

+6
php mysql
source share
5 answers

This is a bad idea for several reasons:

  • First, it assumes that your inputs will always be in the database and only in the database. What if something is used? in HTML output? Or in an email? Or written to a file? Or many other things .. your filtering should always be context sensitive.

  • More importantly, it encourages the careless use of GET, POST, etc., because there is no indication that they are filtering. If someone sees you use

    echo $ _POST ['name'];

    on the page, how would they know it is being filtered? Or worse ... are you sure it was? What about this other application? Do you know the one you were just handed? What could new developers do? Do they know that filtering is important?

+8
source share

Ideally, you will never have to hide anything before using it in a query using prepared PDO instructions. Base libraries will take care of you.

In practice, if you cannot / will not use prepared instructions, escaping should only be done immediately before building the query string. Do not blindly go and reassign the contents of various superglobals (GET, POST, REQUEST, COOKIES), based on the assumption that everything will be included in the database. Think about when you should first check the form data, and some fields are filled out incorrectly. Now you need to cancel everything from the "database mode" and return to the "html mode" in order to insert the good data back into the form.

The same goes for htmlentities / htmlspecialchars. Do not do this until you know that you are outputting HTML / XML. As soon as you start using escaping / coding / quoting everywhere, you run the risk of using double-coding material and you get useless constructs like "

+3
source share

For any data that will not be placed in the SQL query. If you need to exit, use htmlspecialchars () (or similar). The same is true for entering a database; Avoid him only before he enters.

+2
source share

Judging by this specific comment on the site specifically for this code example, I think that it says that if magic_quotes is disabled and you are sure that you use only your code on the server, you can edit the code and delete if(get_magic_quotes_gpc())... etc

In general, although this is useless for data that you include inside a query that you do not use quotes, i.e. integers for identifiers, they must be checked for type.

0
source share

you should use mysql_real_escape_string when you want to avoid the string that will be included in the SQL query that is going to the mysql database - anything outside this area would be a clear sign of β€œwhen not to use” it :)

here's a complicated implementation:

 function clean( $p ) { if( function_exists('mysql_real_escape_string') ) { if( function_exists('get_magic_quotes_gpc') ) { if( get_magic_quotes_gpc() ) { $p = stripslashes( $p ); } } return mysql_real_escape_string( $p ); } else { return $p; } }
0
source share

More articles:


All Articles