Double quotes and security

[Fukushousha]

Hello all,I wanted to talk with you guys about security while writting php to communicate with an SQL database. A friend of mine from uni showed me that he can really mess with my database if he added "(double quotes) in my form fields hence closing the already existing double quotes of the SQL code and add his own SQL code in there.So he told me to check for double quotes and remove them from anything to be taken from the user. Isn't that already done with the get_magic_quotes_gpc() ? Also ... what are the most important things someone has to take care as far as security and SQL is cocerned?Thanks in advance.

[vytas]

Normally magic quotes would be on and it would stripe all the quotes and slashes and everything taken from the user like: $_POST, $_GET, $_COOKIE , but some old versions of PHP don't have this security feature so u have to check all users input regarding the above.

[Synook]

You should also run the strings through mysql_real_escape_string(), as magic quotes isn't enough - the magic quotes escaped string will in the mysql_query() be evaluated, negating the escaping. mysql_real_escape_string() also escapes other things not covered my magic quotes, such as comment markers ("#") and statement delimiters (";").

[justsomeguy]

Normally magic quotes would be on and it would stripe all the quotes and slashes and everything taken from the user like: $_POST, $_GET, $_COOKIE , but some old versions of PHP don't have this security feature so u have to check all users input regarding the above.

Magic quotes should never be relied on, and it is being removed from PHP as of PHP 6. You need a function to check if magic quotes is enabled and, if so, strip the slashes that it added. After that you can be sure that there aren't any extra slashes in the input. Once you "normalize" it for magic quotes, then you can add your own slashes. That way no matter what the setting of magic quotes is your code will work the same. I use this function to get a value from get or post:

function form_var($var){  $retval = '';  if (isset($_POST[$var]))	$retval = $_POST[$var];  elseif (isset($_GET[$var]))	$retval = $_GET[$var];  if (is_array($retval))  {	foreach ($retval as $k => $v)	{	  $retval[$k] = trim($v);	  if (get_magic_quotes_gpc())		$retval[$k] = stripslashes($v);	}  }  else  {	$retval = trim($retval);	if (get_magic_quotes_gpc())	  $retval = stripslashes($retval);  }  return $retval;}$value = form_var('name');

That will first check in $_POST and then $_GET, so it gives $_POST priority, and it will strip slashes if necessary and trim the value. If the value is an array then it will loop through the array and strip and trim each element. It also won't give an error if the value isn't set, it will just send back an empty string.When you use those values in a SQL query, to avoid a SQL injection attack you will either want to use a parameterized query like you can do with the mysqli class, or use a function to escape the values yourself like mysql_real_escape_string. That works only for string values (text values, i.e. if the value needs to be quoted in the SQL query). If your form variable is a number and doesn't need to be quoted in the SQL query, then convert it to a number using either intval or floatval depending on the type. If it's money, for example, or any other decimal number, you would use floatval. If it's an integer like an ID number then you would use intval.$id = intval(form_var('id'));Both of those functions will convert a numeric string to a number. If the string contains invalid characters or isn't numeric then it will return 0, so you can check if the value is 0 to see if it was not entered as a number. But either way, people won't be able to mess with your database if you escape your strings and convert your numbers. If you use a parameterized query like the mysqli class then it will do all of that for you, or you can also write your own database class to do that.