If it’s part of a Database query you should be able to use a Parameterized SQL Statement. As well as escaping your quotes, this will deal with all special characters and will protect you from SQL injection attacks.
I believe there are three different cases that you have to worry about: strings (anything that requires quotes): ”” + replace(@string, ””, ”””) + ”” names (anything where quotes aren’t allowed): quotename(@string) things that cannot be quoted: this requires whitelisting Note: Everything in a string variable (char, varchar, nchar, nvarchar, etc.) that comes from user-controlled … Read more
Well No, there is none! Technically there is PDO::quote() but it is rarely ever used and is not the equivalent of mysql_real_escape_string() That’s right! If you are already using PDO the proper way as documented using prepared statements, then it will protect you from MySQL injection. # Example: Below is an example of a safe … Read more
Don’t do it. You’re practically guaranteed to fail. Use PreparedStatement (or its equivalent) instead.
mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there’s some small unknown chance it is vulnerable (but this hasn’t manifested in the real world yet). A better alternative which completely rules out SQL injections on a conceptual level is prepared statements. Both methods entirely depend … Read more
No, you don’t have to escape value yourself (i.e. no you don’t need to call mysqli_real_escape_string), when you are using prepared statements : the DB engine will do that itself. (Actually, if you were calling mysql_real_escape_string and using bound parameters, your strings would get escaped twice — which would not be great : you’d end … Read more
An example SQL injection using your first SQL statement: cursor.execute(“insert into user(username, password) values(‘{0}’, ‘{1}’)”.format(username, password)) If username and password are “blah” the resulting SQL statement is: insert into user(username, password) values(‘blah’, ‘blah’) and there is no problem with this particular statement. However, if a user is able to enter a value for password, perhaps … Read more
Ryan Bates’ method: in your controller: def index @users = User.order(sort_by + ” ” + direction) end private def sort_by %w{email name}.include?(params[:sort_by]) ? params[:sort_by] : ‘name’ end def direction %w{asc desc}.include?(params[:direction]) ? params[:direction] : ‘asc’ end Essentially you’re making a whitelist, but it’s easy to do and insusceptible to injection.
Is this correct? Yes. This isolated handpicked example is safe. It doesn’t mean, though, that mysqli_real_escape_string should be viewed as a function that’s purpose is to prevent SQL injections. Because in this example it protects you only by accident. Is this a good example of how to use mysqli_real_escape_string? Not at all This function should … Read more
CodeIgniter’s Active Record methods automatically escape queries for you, to prevent sql injection. $this->db->select(‘*’)->from(‘tablename’)->where(‘var’, $val1); $this->db->get(); or $this->db->insert(‘tablename’, array(‘var1’=>$val1, ‘var2’=>$val2)); If you don’t want to use Active Records, you can use query bindings to prevent against injection. $sql=”SELECT * FROM tablename WHERE var = ?”; $this->db->query($sql, array($val1)); Or for inserting you can use the insert_string() … Read more